Amplitude-TypeScript icon indicating copy to clipboard operation
Amplitude-TypeScript copied to clipboard
verified publisher icon amplitude

Remote Script Loading in `@amplitude/analytics-browser` Violates Chrome Extension Manifest V3 Policies

Open ValentinBessonov opened this issue 1 year ago • 11 comments

Issue Summary

The latest version of @amplitude/analytics-browser includes a reference to a remotely hosted script (https://cdn.amplitude.com/libs/visual-tagging-selector-1.0.0-alpha.js.gz). This script is loaded during the operation of the library, which conflicts with Google Chrome Extension Manifest V3 policies. These policies prohibit the inclusion of any remotely hosted code to ensure the security and integrity of Chrome Extensions.

Steps to Reproduce

  1. Install the latest version of @amplitude/analytics-browser.
  2. Integrate it into a Chrome Extension project using Manifest V3.
  3. Submit the extension to the Chrome Web Store.
  4. The submission will fail due to the inclusion of remotely hosted code.

Expected Behavior

The @amplitude/analytics-browser library should not load any remote scripts to comply with Chrome Extension Manifest V3 policies. Instead, all required scripts should be included within the extension package.

Current Workaround

Downgrading to version 2.9.2 of @amplitude/analytics-browser resolves the issue as this version does not include the problematic remote script.

Request

Please consider removing the remote script loading in future versions of @amplitude/analytics-browser or providing an option to disable this behavior. This change is essential for users who need to comply with Chrome Extension security requirements.

Thank you for your attention to this matter.

ValentinBessonov avatar Aug 24 '24 09:08 ValentinBessonov

+1, I have the same issue

AlexPl292 avatar Sep 05 '24 05:09 AlexPl292

+1, just got my extension update rejected because of this

wilkerlucio avatar Sep 10 '24 13:09 wilkerlucio

+1

nemmtor avatar Oct 18 '24 17:10 nemmtor

+1

SolutionsEngineer avatar Oct 18 '24 17:10 SolutionsEngineer

+1

lennardevertz avatar Oct 18 '24 17:10 lennardevertz

Hi, thanks for choosing Amplitude. We are working on a fix for it. For a workaround, please use a version <= 2.9.3.

Mercy811 avatar Nov 05 '24 23:11 Mercy811

Hi @Mercy811 - there have been 4 months of improvements to @amplitude/analytics-browser since this guidance was offered. I just had an extension rejected for the reasons mentioned above on the latest version (2.11.11).

If there is no fix imminent, can you recommend some workaround that would allow the current version of the package to be used that doesn't break core functionality?

I'm going to try including the script in my bundle and modifying the extension build output to refer to it, rather than loading from your CDN, although there's quite a bit of code in that resource and it would increase the size of my relatively lean extension by 50%.

But generally this isn't sustainable, as I'll need to pin my version of the @amplitude/analytics-browser SDK, hope Amplitude isn't changing the script on the CDN behind the scenes, and repeat this process every time I want to bump the SDK to the newest version.

It seems like ideally this would be tree-shaken out by rewiring the code to only include it when necessary. Another possibility might be to allow imports of amplitude functions from a different package endpoint, ex:

import { track } from '@amplitude/analytics-browser/web-extension'

This is an approach the Firebase JS SDK team took recently.

myktra avatar Feb 16 '25 13:02 myktra

Another plus one to this issue from me. I just hit the same rejection. Would love to see a solution from Amplitude for this.

drichards avatar Feb 19 '25 14:02 drichards

I can confirm that my approach mentioned above clears the approval hurdle at Google so I can use the latest version of the Amplitude JS SDK. As far as whether it has an operational impact on Amplitude functionality in production that will take some time to determine.

myktra avatar Feb 19 '25 18:02 myktra

+1 to this issue / caused rejection

fabrol avatar Feb 24 '25 18:02 fabrol

+1. Caused a rejection for us as well.

umanghome avatar Mar 27 '25 06:03 umanghome

+1 rejected here too.

mhogryd avatar Mar 31 '25 01:03 mhogryd

This URL is included by Amplitude's autocapture-browser plugin. If that plugin isn't used/needed, a temporary solution is to strip out the URL during the extension build. Not awesome, but does pass Chrome Store inspection.

Example of what we did using vite:

import replace from "@rollup/plugin-replace";

// add this to the plugins array
replace({
  "https://cdn.amplitude.com/libs/visual-tagging-selector-1.0.0-alpha.js.gz": "",
  preventAssignment: true,
})

schmidtk avatar Apr 07 '25 14:04 schmidtk

+1 , is there any other official way from amplitude ? I'm not sure what is this visual-tagging-selector-1.0.0-alpha.js.gz really used for, and is there any harm removing it?

ngoctuan001 avatar Jul 04 '25 02:07 ngoctuan001

Agree, there should be an official solution from amplitude.

vladutjs avatar Jul 17 '25 07:07 vladutjs

Hey @Mercy811, do you guys have any updates on this issue?

vladutjs avatar Aug 13 '25 08:08 vladutjs

Hi guys! Is there any solution?

PendalF89 avatar Aug 19 '25 08:08 PendalF89

Hi folks, we're planning to fix this in Sept (cc: @Dogfalo). Currently, the workaround is to strip out the URL like this comment.

Mercy811 avatar Aug 19 '25 16:08 Mercy811

How far off is this? Still expected to be fixed this month?

arikark avatar Sep 16 '25 04:09 arikark

@Mercy811 is this still happening?

arikark avatar Oct 19 '25 05:10 arikark

@arikark Yes it's on our team roadmap for this quarter. In the meantime please use the workaround.

Dogfalo avatar Oct 19 '25 15:10 Dogfalo

@Dogfalo any updates on this?

vladutjs avatar Nov 04 '25 08:11 vladutjs

@vladutjs It's still on track for this quarter, but don't have any other updates for you right now. If this is affecting you, please downgrade to <= 2.9.3 for now

Dogfalo avatar Nov 10 '25 16:11 Dogfalo