Copilot review flags third-party injection possibility

[VisLab]

Source of the issue:

  <script src="https://osa-demo.pages.dev/osa-chat-widget.js"
          crossorigin="anonymous"></script>

Copilot comment:

This injects a third-party chat widget script from an external domain into all doc pages. That has security/privacy and operational implications (supply-chain risk, potential data exfiltration via allowPageContext, outages breaking page load). Consider pinning to a versioned URL and adding SRI (integrity) + defer, documenting what data is sent, and/or gating the widget behind an explicit user opt-in or a build-time flag for official docs.

For your consideration. For now, I am trying the defer option on the static sites and copying on our server pages.

 <script src="https://osa-demo.pages.dev/osa-chat-widget.js"
          crossorigin="anonymous"
          defer></script>
  <script defer>
    // Initialize widget after script loads (defer ensures non-blocking)
    if (window.OSAChatWidget) {
      OSAChatWidget.setConfig({.....
  </script>

[neuromechanist]

Thank you for the report, but I believe that this is right.
A possible resolution is to implement the chat widget directly on your website, which interacts with the API that we already have. However, that's about a couple hundred lines to few thousand lines, which might not be efficient.

[VisLab]

Copilot has also complained about the lack of a privacy notice or choice of sending personal information:

The chat widget is configured to send page content to an external service and is enabled by default (allowPageContext: true + pageContextDefaultEnabled: true). This is a privacy/security risk because users may enter sensitive data and it will be transmitted off-site without explicit opt-in or a user-visible notice. Consider defaulting page context to disabled and requiring an explicit user action to enable it, and/or gating the widget behind an environment/build flag plus a visible privacy notice/link in the rendered docs UI (not only an HTML comment).

Also suggested the following:

 <!-- OSA Chat Widget (HED Assistant)
       Privacy Note: This widget sends page content to an external AI service when
       allowPageContext is enabled. The widget provides contextual help for HEDTools documentation.
       Data sent: Page text content, user questions
       Service: OSA Chat Widget (osa-demo.pages.dev)
  -->
  <script src="https://osa-demo.pages.dev/osa-chat-widget.js"

[neuromechanist]

This is pretty good to add, thank you about that. The user interface already has this notice and the option to opt out. You can also disabled this feature altogether with just 1 flag.

However, it is sensible to mean that the assistant knows about the context of the page before answering the question. Probably we could just change a color the color of the notice?

[neuromechanist]

@claude, can you make the changes in a feature branch?