Comments (1)
ScriptedAlchemy
commented on June 11, 2024
1
CSP is a good idea. SRI if you really want lockdowns.
In reality though, these are laborious attack vectors to go after. If I'm already in your JS, it's easier to just patch JsonpCallback or webpack chunk loading global. Then they control chunk loading entirely. So I wouldn't be too concerned client-side. Just have good CSP. All MF does is put a more complex attack vector into the code. When I attack sites, I skip my own API and patch Webpack's whole chunk load system.
The chunk loading global exists in all Webpack builds, regardless of federation. I'd waste time patching MF containers; I'd just take over Webpack outright.
Check out our runtime hooks. You can make auth between the remote and reject their use. Ultimately, if you have unauthorized code executing on your domain, you are already toast and federation is a less effective way to attack since you already own the client at that point. Can do the same with npm packages you install.
The security threat is that you run JS to begin with.
from module-federation-examples.
Related Issues (20)
- Please use Angular17.2 as the shell, use the Native Federation package, Angular12 as the remote, use the Module Federation package. Is there any such example? HOT 1
- Is there any example of using server rendering with rspack? HOT 1
- vite-react-microfrontends demo missing file HOT 5
- nextjs(host)+ react webpack(remote):No ModuleFederationPlugin(s) found. HOT 15
- Any Next.js 14 example? HOT 2
- nextjs-v13 routing does not work HOT 1
- nextjs-v13 getServerSideProps not working HOT 10
- Using external-remotes-plugin with @module-federation/nextjs-mf HOT 1
- Uncaught SyntaxError: Unexpected token function when use module federation v1.5 HOT 3
- Code Nextjs-v14 throws error when try to run HOT 5
- [Feature request/discussion] Allow having multiple instances of shared dependencies HOT 3
- Hot Module Reloading is solved! HOT 1
- [Question] Shared modules are duplicate in multi-bundle files of MF v8.2.2 above HOT 14
- Can I Remove remote.js?[hash] for cache remote.js HOT 2
- NPM package unavailable - nextjs-shared-v14 HOT 1
- [Bug][Nextjs13] Uncaught TypeError: Cannot read properties of undefined (reading 'consumes') HOT 2
- Examples issue HOT 3
- vue-cli master分支跑不起来 HOT 1
- [Question] URL parameters? HOT 6
- externals @module-federation/webpack-bundler-runtime no work HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from module-federation-examples.