XSS and consideration in regard of module federation

[wibed]

what about xss?

as i load modules server side and client side, i certainly am extending the attack vector arent i?

are there any recommendations, considerations or am i totally wrong in the assumption?

[ScriptedAlchemy]

CSP is a good idea. SRI if you really want lockdowns.

In reality though, these are laborious attack vectors to go after. If I'm already in your JS, it's easier to just patch JsonpCallback or webpack chunk loading global. Then they control chunk loading entirely. So I wouldn't be too concerned client-side. Just have good CSP. All MF does is put a more complex attack vector into the code. When I attack sites, I skip my own API and patch Webpack's whole chunk load system.

The chunk loading global exists in all Webpack builds, regardless of federation. I'd waste time patching MF containers; I'd just take over Webpack outright.

Check out our runtime hooks. You can make auth between the remote and reject their use. Ultimately, if you have unauthorized code executing on your domain, you are already toast and federation is a less effective way to attack since you already own the client at that point. Can do the same with npm packages you install.

The security threat is that you run JS to begin with.