-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Serve polyfill bundle from segment.com domain (for snippet/standalone users) #1119
Comments
@seg-leonelsanches a bit confused by the title -- I can see why we would want to use update our lib dependency to use corejs instead of babel, but changing to another package hosted on cdnjs like corejs does not have anything to do with csp violations? That is related to the polyfill strategy itself of injecting a third party url into the head as script tag, not deprecation. What am I missing? If they are getting csp violations and they want to fix them, they would just need to update their csp to whitelist that host from the blocked domain specified by the violation message. |
@silesky Customer claims that updating the library should fix the CSP violation they are having. They will update the whitelist if we update the polyfill package. |
We do not have this polyfill domain in our CSP and get a CSP violation error. |
@igoldny thanks for the feedback, this is something that has been on my personal radar forever, so it's good to see this validated by actual issue. The strategy of doing some primitive sniffing and injecting a huge bundle via the script tag always felt a bit hacky to me regardless (I've never seen this strategy before), and I wonder if there's a way to improve it. If it makes you feel slightly better, cdnjs is controlled by cloudflare, not a fly-by-night open source project like polyfill.io. I agree that anything we serve such as the polyfill bundle should be served through the segment domain, and did a double take the first time I saw this line of code. Anyway, we have an issue tracking this (and other similar scenarios) as a betterment |
@silesky There is an ETA for it? what are your suggestions until you fix it? (We want to avoid add it to our CSP) |
@yonayarin can't give an ETA, unfortunately. Since this is only an analytics html snippet behavior, my recommendation would be to switch to installing this library via npm. |
One of our customers reported that we are using
@babel/polyfill
, which is a deprecated library. The package documentation recommends usingcore-js/stable
instead.The text was updated successfully, but these errors were encountered: