Serve polyfill bundle from segment.com domain (for snippet/standalone users)

[seg-leonelsanches]

One of our customers reported that we are using @babel/polyfill, which is a deprecated library. The package documentation recommends using core-js/stable instead.

[silesky]

@seg-leonelsanches a bit confused by the title -- I can see why we would want to use update our lib dependency to use corejs instead of babel, but changing to another package hosted on cdnjs like corejs does not have anything to do with csp violations? That is related to the polyfill strategy itself of injecting a third party url into the head as script tag, not deprecation.

What am I missing?

If they are getting csp violations and they want to fix them, they would just need to update their csp to whitelist that host from the blocked domain specified by the violation message.

[seg-leonelsanches]

@silesky Customer claims that updating the library should fix the CSP violation they are having. They will update the whitelist if we update the polyfill package.

[igoldny]

We do not have this polyfill domain in our CSP and get a CSP violation error. and following Polyfill[.]io Attack we prefer not adding any polyfill related rules. Please ensure that all files Segmentio has used come from Segmentio CDN. Thanks

[silesky]

@igoldny thanks for the feedback, this is something that has been on my personal radar forever, so it's good to see this validated by actual issue. The strategy of doing some primitive sniffing and injecting a huge bundle via the script tag always felt a bit hacky to me regardless (I've never seen this strategy before), and I wonder if there's a way to improve it. If it makes you feel slightly better, cdnjs is controlled by cloudflare, not a fly-by-night open source project like polyfill.io.

I agree that anything we serve such as the polyfill bundle should be served through the segment domain, and did a double take the first time I saw this line of code.

Anyway, we have an issue tracking this (and other similar scenarios) as a betterment

[yonayarin]

@silesky There is an ETA for it? what are your suggestions until you fix it? (We want to avoid add it to our CSP)

[silesky]

@yonayarin can't give an ETA, unfortunately.

Since this is only an analytics html snippet behavior, my recommendation would be to switch to installing this library via npm.