[Web] Please make it optional to automatically inject JS

[rokk4]

Before that we were able to locally host the the JS scripts. Now I don't know how to prevent that a request to unpkg is made. Can the autoinjection be made optional?

[rokk4]

FYI: commenting the line works fine. https://github.com/juliansteenbakker/mobile_scanner/commit/d3260a09bc74de83294d1c36032fa91720744ef6

[p-mazhnik]

I'll think about adding this.

As a current workaround, you can create custom BarcodeReader class with an overridden jsLibraries field:

class MyBarcodeReader extends ZXingBarcodeReader {
  MyBarcodeReader({required super.videoContainer});

  @override
  List<JsLibrary> get jsLibraries => [];
}

Replace default barCodeReader:

MobileScannerWebPlugin.barCodeReader = MyBarcodeReader(videoContainer: MobileScannerWebPlugin.vidDiv);

Note that this is web-only code, so you will need to use conditional imports if you have cross-platform support.

[rokk4]

@p-mazhnik Thanks for considering this and thank you for providing a workaround. I gave this some thought and came to the conclusion that the autoinjection of the js-libs is an anti-feature.

Why? Most importantly it eliminates the choice where to get the libs from. This is important in scenarios where you either want to be able to choose the CDN or need to verify/sign the loaded scripts (CSP hash etc.) , e.g high security environments and also in scenarios like mine, where you need to avoid CDN request because of regulatory compliance.

I would not build a banking application that loads a script from an uncontrolled third-party source (supply chain attacks!).

It is also needed if you want to build an offline app, even with caching you would need wan-uplink on the first launch.

This huge negatives stand against an IMHO irrelevant quality-of-life improvement: Not having to add one line of code to the index.html. Or are there any other benefits of this, that I am not seeing?