Remote Script Loading in `@amplitude/analytics-browser` Violates Chrome Extension Manifest V3 Policies

[ValentinBessonov]

Issue Summary

The latest version of @amplitude/analytics-browser includes a reference to a remotely hosted script (https://cdn.amplitude.com/libs/visual-tagging-selector-1.0.0-alpha.js.gz). This script is loaded during the operation of the library, which conflicts with Google Chrome Extension Manifest V3 policies. These policies prohibit the inclusion of any remotely hosted code to ensure the security and integrity of Chrome Extensions.

Steps to Reproduce

1. Install the latest version of @amplitude/analytics-browser.
2. Integrate it into a Chrome Extension project using Manifest V3.
3. Submit the extension to the Chrome Web Store.
4. The submission will fail due to the inclusion of remotely hosted code.

Expected Behavior

The @amplitude/analytics-browser library should not load any remote scripts to comply with Chrome Extension Manifest V3 policies. Instead, all required scripts should be included within the extension package.

Current Workaround

Downgrading to version 2.9.2 of @amplitude/analytics-browser resolves the issue as this version does not include the problematic remote script.

Request

Please consider removing the remote script loading in future versions of @amplitude/analytics-browser or providing an option to disable this behavior. This change is essential for users who need to comply with Chrome Extension security requirements.

Thank you for your attention to this matter.

[AlexPl292]

+1, I have the same issue

[wilkerlucio]

+1, just got my extension update rejected because of this

[nemmtor]

+1

[SolutionsEngineer]

+1

[lennardevertz]

+1

[Mercy811]

Hi, thanks for choosing Amplitude. We are working on a fix for it. For a workaround, please use a version <= 2.9.3.