Make Nextjs plugin work with a strict CSP policy (no unsafe-eval)

[fcano-ut]

I'm getting an error when running Next.js and Module Federation, related to the use of "unsafe-eval" code which is blocked by my CSP directives. The issue seems to be in this line of code:

Doing code search I could find several references of that line of code in this codebase (https://github.com/search?q=repo:module-federation/core+%22return+globalThis%22&type=code), and looking at the context, it seems to come from the Module Federation Next.js plugin. This result matches pretty much exactly with the code in my bundle:

core/packages/nextjs-mf/src/plugins/container/runtimePlugin.ts

Line 72 in e38e48d

const gs = new Function('return globalThis')();

I found two related issues (#2631, #2015), but both of them are closed. I was wondering if someone has the plugin working in production with a strict CSP policy, and if there was any workaround needed. Thanks

[fcano-ut]

I opened this as issue #2759 after being able to reproduce this in a "clean" environment