Limiting script access
Any discussion about the security of micro frontends first requires a context to be defined. Are we talking about micro frontends composed on the server or on the client? Or both? As an example, if we talk about micro frontends following the island composition introduced in Chapter 7, then we have a scenario at hand where scripts from different micro frontends are evaluated on a central server.
The central server is certainly beneficial from a performance point of view, but also problematic in the security area. If we just imported the scripts from any team and treated them like all the other modules from the same server, we’d run into security issues such as arbitrary code injection, file system manipulation, or other unwanted risks.
The way out of this is to sandbox the scripts. In Node.js, we can do that by using the in-built vm module. This makes it necessary to specify the allowed global variables, including a require function to import other...
