External script loading triggers Chrome Web Store rejection

[kyranjamie]

Our team @leather-io authors a Web Extension released to the Chrome Web Store. Our extension publish has seen a rejection owning to Segment's use of external script loading.

As part of the Manifest v3 update, extensions are not allowed to remotely load code. This is a complete blocker for all MV3 extensions that use Segment.

In 2023, I opened an MV3 issues before regarding better support for services workers, which has so far not been prioritised by Segment #907

Rejection email

Offending code here

analytics-next/packages/browser/src/lib/parse-cdn.ts

Lines 64 to 87 in 4e0cb63

	export function getLegacyAJSPath(): string {
	const writeKey = embeddedWriteKey() ?? getGlobalAnalytics()?._writeKey
	const scripts = Array.prototype.slice.call(
	document.querySelectorAll('script')
	)
	let path: string | undefined = undefined
	for (const s of scripts) {
	const src = s.getAttribute('src') ?? ''
	const result = analyticsScriptRegex.exec(src)
	if (result && result[1]) {
	path = src
	break
	}
	}
	if (path) {
	return path.replace('analytics.min.js', 'analytics.classic.js')
	}
	return `https://cdn.segment.com/analytics.js/v1/${writeKey}/analytics.classic.js`
	}

The only way we've managed to fix this so far, is by using our bundler to override this fn with the remote injection code overridden.