Remote Script Loading in `@amplitude/analytics-browser` Violates Chrome Extension Manifest V3 Policies

Question

Remote Script Loading in `@amplitude/analytics-browser` Violates Chrome Extension Manifest V3 Policies

ValentinBessonov opened this issue 3 months ago · 5 comments

Issue Summary

The latest version of @amplitude/analytics-browser includes a reference to a remotely hosted script (https://cdn.amplitude.com/libs/visual-tagging-selector-1.0.0-alpha.js.gz). This script is loaded during the operation of the library, which conflicts with Google Chrome Extension Manifest V3 policies. These policies prohibit the inclusion of any remotely hosted code to ensure the security and integrity of Chrome Extensions.

Steps to Reproduce

Install the latest version of @amplitude/analytics-browser.
Integrate it into a Chrome Extension project using Manifest V3.
Submit the extension to the Chrome Web Store.
The submission will fail due to the inclusion of remotely hosted code.

Expected Behavior

The @amplitude/analytics-browser library should not load any remote scripts to comply with Chrome Extension Manifest V3 policies. Instead, all required scripts should be included within the extension package.

Current Workaround

Downgrading to version 2.9.2 of @amplitude/analytics-browser resolves the issue as this version does not include the problematic remote script.

Request

Please consider removing the remote script loading in future versions of @amplitude/analytics-browser or providing an option to disable this behavior. This change is essential for users who need to comply with Chrome Extension security requirements.

Thank you for your attention to this matter.

nemmtor commented 25 days ago

+1

SolutionsEngineer commented 25 days ago

+1

lennardevertz commented 25 days ago

+1

Answer 1 · 2024-09-05T05:05:14.000Z

+1, I have the same issue

Answer 2 · 2024-09-10T13:00:36.000Z

+1, just got my extension update rejected because of this