Add identifying attribute to HTML elements injected into game's index.html

[Ragzouken]

For the past two years this project has been working fine but recently is broken: https://candle.itch.io/flicksy

it seems the resources are being split over multiple origins but without the CORS policy set correctly? this occurs during tool's export process which fetches the javascript and css source files of the tool to bundle a copy of itself

Access to fetch at 'https://static.itch.io/htmlgame.js' from origin 'https://v6p9d9t4.ssl.hwcdn.net' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Disregard the above, I misunderstood the problem I encountered.

I didn't realise it until now, but the change described at https://itch.io/t/614172/sitelock-update?before=28#post-1550434 broken my tool, and I now understand it's because itch is injecting extra script element's into my tool's html page.

I'm dynamically inspecting the page's script elements as part of the tool's export process (and naturally, assuming that the only elements are the ones I put there)--the extra element tripped this process up (because that particular script doesn't have a favourable CORS policy, but I realise now that I don't actually want to be able to fetch it anyway).

I can understand why you might want to do this, but could you add some identifying attribute to the tag so I can detect that it was injected? Perhaps <script data-itch-injected ...> or similar? Right now my workaround to check jsScript.src !== "https://static.itch.io/htmlgame.js" which feels liable to break.

[leafo]

it seems like your tool would break with any arbitrary src domain, so maybe it makes more sense to only operate on script tags that you know have a valid src?

[Ragzouken]

Right now the browser is showing me something like the below, which with two intentional script tags and then the third one injected by itch. I'm not sure what you mean by "valid" source--unless you mean whitelisting the ones I know should be there, which is possible but very inconvenient because they are generated and injected by the packing software before I publish.

<script src="./static/js/2.f137e5d4.chunk.js"></script>
<script src="./static/js/main.4bd64331.chunk.js"></script>
<script defered src="static/htmlgame.js"></script>

What I'm proposing above is to add a data attribute that I can blacklist in my dynamic code:

<script src="./static/js/2.f137e5d4.chunk.js"></script>
<script src="./static/js/main.4bd64331.chunk.js"></script>
<script defered src="static/htmlgame.js" data-itch-injected></script>

[leafo]

We insert a script tag containing a src with a full URL including domain, not a relative URL. I'm suggesting you use that information to identify which script tags should be processed with your script. It seems like you only want to interact with script tags with relative URLs.

Here's the exact code we insert:

<script defer src="https://static.itch.io/htmlgame.js" type="text/javascript"></script>

[Ragzouken]

Ah, I understand. I can (and will) certainly avoid the problem by just ignoring absolute URLs since I'm not using them.

Is there any reason to avoid adding something explicitly identifying injected elements though? If you ever decide to start injecting with a relative URL then this will obviously break again.

[leafo]

We will never use a relative URL in this situation, and the absolute URL should never change, so I see that as a suitable identifier of what the script is for.