Refused to load the script 'https://dev.myapp.com/products/_next/static/chunks/remoteEntry.js' because it violates the following Content Security Policy directive: "script-src 'self'". Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'". Enter fullscreen mode Exit fullscreen mode You shipped a hardened Content-Security-Policy header to staging on Friday afternoon. The host renders. Every federated remote shows a blank white box. The fix is not on Stack Overflow because nobody warns you that webpack's Module Federation runtime calls eval() to bootstrap the remote container . Strip 'unsafe-eval' from script-src and every remote dies before a single module mounts. I just published the complete CSP block we run in production for a Next.js MFE.…