Feature Request: Allow bundling of analytics scripts

[jawnsy-humane]

For production builds, this library loads an additional analytics script from /_vercel/insights/script.js on the current domain. For development builds, this library loads an analytics script from https://va.vercel-scripts.com/v1/script.debug.js.

analytics/packages/web/src/generic.ts

Lines 19 to 21 in 56ebed2

	export const DEV_SCRIPT_URL =
	'https://va.vercel-scripts.com/v1/script.debug.js';
	export const PROD_SCRIPT_URL = '/_vercel/insights/script.js';

This has a few implications:

• The latter URL (on va.vercel-scripts.com) needs to be added to the content security policy, but only applies in development mode
• The analytics script can be updated at any time without changes to the application

It would be nice if the scripts themselves could be bundled in the npm package, so that everything is upgraded reproducibly.

[jawnsy-humane]

A workaround (for Next.js) is to create some rewrites and use the scriptSrc prop to load the script through the local server, proxying to va.vercel-scripts.com.

const nextConfig = {
  async rewrites() {
    return [
      /* Proxy to Vercel Scripts for Analytics and Speed Insights,
       * so that the CSP does not need to include an external domain.
       */
      {
        source: '/vercel/insights.js',
        destination: 'https://va.vercel-scripts.com/v1/script.js',
      },
      {
        source: '/vercel/insights.debug.js',
        destination: 'https://va.vercel-scripts.com/v1/script.debug.js',
      },
      {
        source: '/vercel/speed-insights.js',
        destination: 'https://va.vercel-scripts.com/v1/speed-insights/script.js',
      },
      {
        source: '/vercel/speed-insights.debug.js',
        destination: 'https://va.vercel-scripts.com/v1/speed-insights/script.debug.js',
      },
    ];
  }
};