Scripts fail to load with COOP-COEP (when window.crossOriginIsolated is true) · Issue #841

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

We're working on making our site cross origin isolated to get access to multithreaded WASM, but once we set the headers on our page to

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Several of our analytics scripts stop loading.
In order to fix this you have to add a crossorigin="anonymous" attribute to the script tags.
I forked this repo & added this to packages/browser/src/lib/load-script.js at line 36:
if (window.crossOriginIsolated)
      script.setAttribute('crossorigin', 'anonymous')
Which worked for the tags that get loaded directly by analytics-next.
Unfortunately for some scripts, like Amplitude, it looks like they load a script that injects another script which doesn't have the crossorigin attribute & so fails to load.
I was able to set a breakpoint in the debugger & manually inject the attribute:
to verify that this fixes the issue:
But have no way to actually edit the code coming down from this URL https://cdn.segment.com/next-integrations/integrations/amplitude/3.3.3/amplitude.dynamic.js.gz to persist the change.
Could someone at Segment update those remote scripts to inject crossorigin="anonymous" on tags they're adding when window.crossOriginIsolated is true? Besides Amplitude, it looks like the other integrations we have that are failing are gtag, reddit and LinkedIn.