Closed antifuchs closed 2 years ago
Hi there! Thanks for the contribution! Unfortunately we can't make changes to the snippet code in this repository, as it's automatically synced from our internal version. I wasn't familiar with the Trusted Types spec, TIL! TrustedScriptURL looks useful, I'll coordinate with our web capture team, who owns the snippet code, to see if we can get an equivalent change made there to support this.
I'm also going to add some contribution guidelines to this repo to make the restriction around not changing the snippet clearer.
Given that this requires coordination with the capture API, I'm going to close this PR in favor of opening an issue with this feature request. If we add support for this to the capture API it should be straightforward to pass a TrustedScriptURL
down from this SDK.
This PR adjusts the snippet code to support passing a
TrustedScriptURL
to the setup code, which allows very strict pages to keep being strict about what code they allow to dynamically add elements/scripts to the code.It is somewhat suboptimal in that it modifies the JS snippet, but I think it results in a much nicer and more secure page code that still integrates the fullstory tracker.