🐛[RUMF-320] Remove url-polyfill dependency

[bcaudan]

The dependency used to polyfill URL API is modifying the global scope which caused an issue for a customer.
Since we don't use a lot of URL features, replace this polyfill by a simple implementation that support only our current needs.

[codecov-io]

Codecov Report

Merging #294 into master will decrease coverage by 0.22%.
The diff coverage is 87.03%.

@@            Coverage Diff             @@
##           master     #294      +/-   ##
==========================================
- Coverage   86.27%   86.04%   -0.23%     
==========================================
  Files          24       25       +1     
  Lines        1362     1405      +43     
  Branches      298      304       +6     
==========================================
+ Hits         1175     1209      +34     
- Misses        187      196       +9     

Impacted Files	Coverage Δ
packages/core/src/requestCollection.ts	96.66% <ø> (-0.11%)	⬇️
packages/rum/src/rum.ts	83.75% <ø> (-1.25%)	⬇️
packages/core/src/utils.ts	96.15% <71.42%> (-1.79%)	⬇️
packages/rum/src/resourceUtils.ts	96.92% <85.71%> (-1.59%)	⬇️
packages/core/src/urlPolyfill.ts	90.00% <90.00%> (ø)
packages/rum/src/rum.entry.ts	69.38% <0.00%> (-2.05%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a4eb2e1...b0e05bb. Read the comment docs.

[msokk]

https://github.com/DataDog/browser-sdk/pull/294/files#diff-252c841276c8ed9e5cbdc5a3865065dfR47 - appending the <base> element causes CSP violations in stricter setups. Ours has 'none' for base-uri.

https://docs.datadoghq.com/real_user_monitoring/faq/content_security_policy/?tab=us - CSP article should include base-uri 'self'

[bcaudan]

Hi @msokk,
Thanks for raising the issue.

Could you confirm that:

• it was not happening before this release
• it only happens on IE browsers

Thanks

[msokk]

IE does not support CSP (apart from X-Content-Security-Policy: sandbox).
This didn't break anything, apart from XHR url in datadog not being normalized, just our Sentry got spammed.

Started first seeing events March 12, ~13:30 GMT

[bcaudan]

@msokk is this issue reported by sentry on every browsers?

[msokk]

Well, our reports mostly (99%) consisted of Chrome 80, as we have a lot of Chrome users, but there are some Firefox and Opera.

It's not a big issue, just some extra configuration might be needed from site side if they have set up security headers. We just have a very strict Content-Security-Policy by whitelisting third-party scripts/styles/fonts/etc...

So far no third-party piece of code touched the <base> element, so we had the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri totally blocked :)

[bcaudan]

OK, I'd prefer to not need extra csp rules if we can avoid it.

Could you provide me one url where there is the issue?

[msokk]

I already adjusted our CSP rules on all environments to stop eating up Sentry quota.

Here is a codepen with <meta http-equiv="Content-Security-Policy" content="base-uri 'none'"> - https://codepen.io/msokk/pen/eYNMWxy.

Violation is in console

[bcaudan]

Thanks a lot for that, I'll have a look and keep you updated if there is any changes on this topic.

[bcaudan]

Hi