@newrelic/browser-agent 1.312.1 → 1.313.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@newrelic/browser-agent",
-  "version": "1.312.1",
+  "version": "1.313.0",
   "private": false,
   "author": "New Relic Browser Agent Team <browser-agent@newrelic.com>",
   "description": "New Relic Browser Agent",

package/src/common/config/init-types.js

@@ -12,8 +12,9 @@
  * @property {boolean} [ajax.enabled] - Turn on/off the ajax feature (on by default).
  * @property {boolean} [ajax.autoStart] - If true, the agent will automatically start the ajax feature. Otherwise, it will be in a deferred state until the `start` API method is called.
  * @property {Object} [api]
- * @property {boolean} [api.allow_registered_children] - If true, the agent will allow registered children to be sent to the server.
- * @property {boolean} [api.duplicate_registered_data] - If true, the agent will capture registered child data to the main agent as well as the registered child.
+ * @property {Object} [api.register]
+ * @property {boolean} [api.register.enabled] - If true, the agent will allow registered children to be sent to the server.
+ * @property {boolean} [api.register.duplicate_data_to_container] - If true, the agent will capture registered child data to the main agent as well as the registered child.
  * @property {Object} [distributed_tracing]
  * @property {boolean} [distributed_tracing.enabled] - If true, distributed tracing headers will be added to outgoing requests. Requires ajax feature to be running.
  * @property {boolean} [distributed_tracing.exclude_newrelic_header]

package/src/common/config/init.js

@@ -21,7 +21,7 @@ const InitModelFn = () => {
   const hiddenState = {
     feature_flags: [],
     experimental: {
-      allow_registered_children: false,
+      register: false,
       resources: false
     },
     mask_selector: '*',
@@ -49,9 +49,11 @@ const InitModelFn = () => {
   return {
     ajax: { deny_list: undefined, block_internal: true, enabled: true, autoStart: true },
     api: {
-      get allow_registered_children () { return hiddenState.feature_flags.includes(FEATURE_FLAGS.REGISTER) || hiddenState.experimental.allow_registered_children },
-      set allow_registered_children (val) { hiddenState.experimental.allow_registered_children = val },
-      duplicate_registered_data: false
+      register: {
+        get enabled () { return hiddenState.feature_flags.includes(FEATURE_FLAGS.REGISTER) || hiddenState.experimental.register },
+        set enabled (val) { hiddenState.experimental.register = val },
+        duplicate_data_to_container: false
+      }
     },
     browser_consent_mode: { enabled: false },
     distributed_tracing: {

package/src/common/timing/time-keeper.js

@@ -1,9 +1,12 @@
 /**
- * Copyright 2020-2025 New Relic, Inc. All rights reserved.
+ * Copyright 2020-2026 New Relic, Inc. All rights reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
+import { SUPPORTABILITY_METRIC_CHANNEL } from '../../features/metrics/constants'
 import { originTime } from '../constants/runtime'
 import { isNative } from '../util/monkey-patched'
+import { handle } from '../event-emitter/handle'
+import { FEATURE_NAMES } from '../../loaders/features/features'
 
 /**
  * Class used to adjust the timestamp of harvested data to New Relic server time. This
@@ -37,12 +40,34 @@ export class TimeKeeper {
    */
   #ready = false
 
+  #reportedDrift = false
+
   constructor (sessionObj) {
     this.#session = sessionObj
     this.processStoredDiff()
     isNative(performance.now, Date.now) // will warn the user if these are not native functions.  We need these to be native for time in the agent to be accurate in general.
   }
 
+  #detectDrift () {
+    if (this.#reportedDrift) return
+    try {
+      // Drift detection: measures if performance.now() and Date.now() have become desynchronized
+      // This can happen when a machine sleeps and the performance timer freezes while Date continues
+      // this can also happen when a user sets their clock forward during the page lifecycle,
+      // but we have no way of distinguishing that from actual clock drift so we will just treat it as drift.
+      // In either case, the performance timestamps would be inaccurate at that point so we want to detect and report a count of it.
+      // We only detect positive drift (performance clock falling behind Date clock)
+      // Note: localTimeDiff (server time offset) is NOT part of drift - that's a legitimate offset
+      const drift = (Date.now() - originTime) - performance.now()
+      if (drift > 1000) {
+        this.#reportedDrift = true
+        handle(SUPPORTABILITY_METRIC_CHANNEL, ['Generic/TimeKeeper/ClockDrift/Detected', drift], undefined, FEATURE_NAMES.metrics, this.#session.agentRef.ee)
+      }
+    } catch (err) {
+      // Silently ignore drift detection errors to avoid breaking normal operation
+    }
+  }
+
   get ready () {
     return this.#ready
   }
@@ -90,6 +115,7 @@ export class TimeKeeper {
    * @returns {number} Corrected unix/epoch timestamp
    */
   convertRelativeTimestamp (relativeTime) {
+    this.#detectDrift()
     return originTime + relativeTime
   }
 
@@ -100,6 +126,7 @@ export class TimeKeeper {
    * @returns {number}
    */
   convertAbsoluteTimestamp (timestamp) {
+    this.#detectDrift()
     return timestamp - originTime
   }
 
@@ -109,6 +136,7 @@ export class TimeKeeper {
    * @return {number} Corrected unix/epoch timestamp
    */
   correctAbsoluteTimestamp (timestamp) {
+    this.#detectDrift()
     return timestamp - this.#localTimeDiff
   }
 
@@ -118,6 +146,7 @@ export class TimeKeeper {
    * @returns {number}
    */
   correctRelativeTimestamp (relativeTime) {
+    this.#detectDrift()
     return this.correctAbsoluteTimestamp(this.convertRelativeTimestamp(relativeTime))
   }
 

package/src/common/util/short-circuit.js

@@ -0,0 +1,6 @@
+/**
+ * Copyright 2020-2026 New Relic, Inc. All rights reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/** A special error used to short-circuit the error processing pipeline */
+export class ShortCircuit extends Error {}

package/src/common/util/submit-data.js

@@ -1,5 +1,5 @@
 /**
- * Copyright 2020-2025 New Relic, Inc. All rights reserved.
+ * Copyright 2020-2026 New Relic, Inc. All rights reserved.
  * SPDX-License-Identifier: Apache-2.0
  */
 
@@ -59,7 +59,7 @@ export function xhrFetch ({
     objHeaders[header.key] = header.value
   }
 
-  return fetch(url, { headers: objHeaders, method, body, credentials: 'include' })
+  return fetch(url, { headers: objHeaders, method, body })
 }
 
 /**
@@ -76,12 +76,6 @@ export function xhr ({ url, body = null, sync, method = 'POST', headers = [{ key
   const request = new XMLHttpRequest()
 
   request.open(method, url, !sync)
-  try {
-    // Set cookie
-    if ('withCredentials' in request) request.withCredentials = true
-  } catch (e) {
-    // do nothing
-  }
 
   headers.forEach(header => {
     request.setRequestHeader(header.key, header.value)

package/src/common/v2/script-correlation.js

@@ -0,0 +1,44 @@
+/**
+ * Copyright 2020-2026 New Relic, Inc. All rights reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+/**
+ * Represents script correlation data combining DOM and Performance API information
+ */
+export class ScriptCorrelation {
+  /** @type {CorrelationTiming} [dom] - DOM-related information */
+  dom = new CorrelationTiming()
+  /** @type {CorrelationTiming} [performance] - Performance-related information */
+  performance = new CorrelationTiming()
+
+  /**
+   * Creates a new ScriptCorrelation instance
+   * @param {string} url - The cleaned URL of the script
+   */
+  constructor (url) {
+    /** @type {string} The cleaned URL of the script */
+    this.url = url
+  }
+
+  /**
+   * Gets the script timing, using DOM timings if available, otherwise falling back to performance timings or registeredAt as appropriate. This is used to provide the most accurate script timing possible for registered entities.
+   * @returns {{start: number, end: number}
+   */
+  get script () {
+    const start = Math.max(this.dom.start, this.performance.end)
+    const end = Math.max(this.dom.end, this.performance.end, start)
+    return {
+      start,
+      end
+    }
+  }
+}
+
+class CorrelationTiming {
+  /** @type {number} [start] - The startTime from the performance entry */
+  start = 0
+  /** @type {number} [end] - The responseEnd from the performance entry */
+  end = 0
+  /** @type {*} [value] - The entry value */
+  value = undefined
+}

package/src/common/v2/script-tracker.js

@@ -0,0 +1,260 @@
+/**
+ * Copyright 2020-2026 New Relic, Inc. All rights reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { globalScope } from '../constants/runtime'
+import { now } from '../timing/now'
+import { cleanURL } from '../url/clean-url'
+import { chrome, chromeEval, gecko } from '../util/browser-stack-matchers'
+import { ScriptCorrelation } from './script-correlation'
+
+/**
+ * @typedef {import('./register-api-types').RegisterAPITimings} RegisterAPITimings
+ */
+
+/** export for testing purposes */
+export let thisFile
+try {
+  thisFile = extractUrlsFromStack(getDeepStackTrace())[0]
+} catch (err) {
+  thisFile = extractUrlsFromStack(err)[0]
+}
+
+/** @type {(entry: PerformanceEntry) => boolean} - A shared function to determine if a performance entry is a valid script or link resource for evaluation */
+const validEntryCriteria = entry => entry.initiatorType === 'script' || (['link', 'fetch'].includes(entry.initiatorType) && entry.name.endsWith('.js'))
+
+/** @type {Map<string, ScriptCorrelation>} - Central registry for script correlations containing both DOM and Performance data */
+export const scriptCorrelations = new Map()
+/** @type {Array<{ test: (entry: PerformanceEntry) => boolean, addedAt: number }>} an array of PerformanceObserver subscribers to check for late emissions */
+let poSubscribers = []
+
+/**
+ * Retrieves a script correlation by URL using exact matching
+ * @param {string} targetUrl - The URL to find
+ * @returns {ScriptCorrelation | undefined} - The correlation object if found
+ */
+function findCorrelation (targetUrl) {
+  return scriptCorrelations.get(targetUrl)
+}
+
+/**
+ * Gets or creates a script correlation entry
+ * @param {string} url - The cleaned URL
+ * @returns {ScriptCorrelation} - The correlation object
+ */
+function getOrCreateCorrelation (url) {
+  const existing = findCorrelation(url)
+  if (existing) return existing
+
+  const correlation = new ScriptCorrelation(url)
+  scriptCorrelations.set(url, correlation)
+
+  // Keep size under control
+  if (scriptCorrelations.size > 1000) {
+    const firstKey = scriptCorrelations.keys().next().value
+    scriptCorrelations.delete(firstKey)
+  }
+
+  return correlation
+}
+
+/** Set up a MutationObserver to detect script elements being added to the DOM */
+if (globalScope.MutationObserver && globalScope.document) {
+  const scriptMutationObserver = new MutationObserver((mutations) => {
+    mutations.forEach((mutation) => {
+      mutation.addedNodes.forEach((node) => {
+        if (node.nodeName === 'SCRIPT' && node.src) {
+          const cleanedSrc = cleanURL(node.src)
+          const correlation = getOrCreateCorrelation(cleanedSrc)
+
+          correlation.dom.start = now()
+          correlation.dom.value = node
+
+          const setEnd = () => { correlation.dom.end = now() }
+          ;['load', 'error'].forEach(event => node.addEventListener(event, setEnd, { once: true }))
+        }
+      })
+    })
+  })
+
+  scriptMutationObserver.observe(globalScope.document, {
+    childList: true,
+    subtree: true
+  })
+}
+
+if (globalScope.PerformanceObserver?.supportedEntryTypes.includes('resource')) {
+  /** We must track the script assets this way, because the performance buffer can fill up and when it does that
+   * it stops accepting new entries (instead of dropping old entries), which means if the register API is called
+   * after the buffer fills up we won't be able to get the script timing information from the resource timing API
+  */
+  const scriptObserver = new PerformanceObserver((list) => {
+    list.getEntries().filter(validEntryCriteria).forEach((entry) => {
+      // Update correlation with performance data (creates entry if needed)
+      const entryUrl = cleanURL(entry.name)
+      const correlation = getOrCreateCorrelation(entryUrl)
+      correlation.performance.start = Math.floor(entry.startTime)
+      correlation.performance.end = Math.floor(entry.responseEnd)
+      correlation.performance.value = entry
+
+      // Clear resolved or expired subscribers
+      const canClear = []
+      poSubscribers.forEach(({ test, addedAt }, idx) => {
+        if (test(entry) || now() - addedAt > 10000) canClear.push(idx)
+      })
+      poSubscribers = poSubscribers.filter((_, idx) => !canClear.includes(idx))
+    })
+  })
+  scriptObserver.observe({ type: 'resource', buffered: true })
+}
+
+/**
+ * Extracts URLs from stack traces using the same logic as compute-stack-trace.js
+ * @param {string} stack The error stack trace
+ * @returns {string[]} Array of cleaned URLs found in the stack trace
+ */
+export function extractUrlsFromStack (stack) {
+  if (!stack || typeof stack !== 'string') return []
+
+  const urls = new Set()
+  const lines = stack.split('\n')
+
+  for (const line of lines) {
+    // Try gecko format first, then chrome
+    const parts = line.match(gecko) || line.match(chrome) || line.match(chromeEval)
+    if (parts && parts[2]) {
+      urls.add(cleanURL(parts[2]))
+    } else {
+      // Fallback: match URLs using a generic .js pattern (non-greedy to handle ports and query params)
+      const fallbackMatch = line.match(/\(([^)]+\.js):\d+:\d+\)/) || line.match(/^\s+at\s+([^\s(]+\.js):\d+:\d+/)
+      if (fallbackMatch && fallbackMatch[1]) {
+        urls.add(cleanURL(fallbackMatch[1]))
+      }
+    }
+  }
+  return [...urls]
+}
+
+/**
+ * Returns a deep stack trace by temporarily increasing the stack trace limit.
+ * @returns {Error.stack | undefined}
+ */
+export function getDeepStackTrace () {
+  let stack
+  try {
+    const originalStackLimit = Error.stackTraceLimit
+    Error.stackTraceLimit = 50
+    stack = new Error().stack
+    Error.stackTraceLimit = originalStackLimit
+  } catch (e) {
+    stack = new Error().stack
+  }
+  return stack
+}
+
+/**
+ * Indicates whether the provided URL matches any script preload link tags in the document.
+ * @param {string} targetUrl The URL to match against preload tags
+ * @returns {boolean} True if a matching preload link is found, false otherwise
+ */
+function wasPreloaded (targetUrl) {
+  if (!targetUrl || !globalScope.document) return false
+
+  try {
+    const linkTags = globalScope.document.querySelectorAll('link[rel="preload"][as="script"]')
+    for (const link of linkTags) {
+      // link.href is resolved to an absolute URL by the browser (even if supplied as relative), so we can match exactly against the cleaned target URL
+      if (cleanURL(link.href) === targetUrl) return true
+    }
+  } catch (error) {
+    // Don't let DOM parsing errors break anything
+  }
+  return false
+}
+
+/**
+ * Checks if a performance entry matches the target MFE script URL using exact matching
+ * @param {PerformanceResourceTiming} entry - The resource timing entry
+ * @param {string} targetUrl - The MFE script URL to match
+ * @returns {boolean} True if the entry matches
+ */
+function entryMatchesUrl (entry, targetUrl) {
+  const entryUrl = cleanURL(entry.name)
+  return entryUrl === targetUrl
+}
+
+/**
+ * Applies performance entry timing data to a timings object
+ * @param {RegisterAPITimings} timings - The timings object to update
+ * @param {PerformanceResourceTiming} entry - The performance entry
+ */
+function applyPerformanceEntry (timings, entry) {
+  timings.fetchStart = Math.floor(entry.startTime)
+  timings.fetchEnd = Math.floor(entry.responseEnd)
+  timings.asset = entry.name
+  timings.type = entry.initiatorType
+}
+
+/**
+ * Uses the stack of the initiator function, returns script timing information if a script can be found with the resource timing API matching the URL found in the stack.
+ * @returns {RegisterAPITimings} Object containing script fetch start and end times, and the asset URL if found
+ */
+export function findScriptTimings () {
+  const timings = { registeredAt: now(), reportedAt: undefined, fetchStart: 0, fetchEnd: 0, scriptStart: 0, scriptEnd: 0, asset: undefined, type: 'unknown' }
+  const stack = getDeepStackTrace()
+  if (!stack) return timings
+
+  const navUrl = globalScope.performance?.getEntriesByType('navigation')?.[0]?.name || ''
+
+  try {
+    const urls = extractUrlsFromStack(stack)
+    // Filter out agent file from URLs (unless it's the only one)
+    const mfeScriptUrl = (urls.length > 1 ? urls.filter(line => thisFile !== line) : urls)[0]
+    if (!mfeScriptUrl) return timings
+
+    // Check for inline script
+    if (navUrl.includes(mfeScriptUrl)) {
+      timings.asset = cleanURL(navUrl)
+      timings.type = 'inline'
+      return timings
+    }
+
+    // Get correlation data
+    timings.correlation = findCorrelation(mfeScriptUrl)
+
+    // Use correlation's performance entry if available, otherwise check live performance API
+    const performanceEntry = timings.correlation?.performance.value || performance.getEntriesByType('resource').find(e => entryMatchesUrl(e, mfeScriptUrl))
+
+    if (performanceEntry) {
+      applyPerformanceEntry(timings, performanceEntry)
+    } else if (wasPreloaded(mfeScriptUrl)) {
+      // Handle preloaded scripts that may report late
+      timings.asset = mfeScriptUrl
+      timings.type = 'preload'
+
+      // Subscribe to late performance observer callbacks
+      poSubscribers.push({
+        addedAt: now(),
+        test: (entry) => {
+          if (entryMatchesUrl(entry, mfeScriptUrl)) {
+            applyPerformanceEntry(timings, entry)
+            return true
+          }
+          return false
+        }
+      })
+    }
+
+    /*
+     * Use getters here because the correlation data may arrive after this function returns the timing object, and we want to provide the most up-to-date timing information possible when the getters are accessed at harvest time.
+     * The getters will fall back to fetchEnd if correlation data isn't available yet, which is our best approximation for script execution start when actual script timings can not be determined.
+    */
+    Object.defineProperty(timings, 'scriptStart', { get: () => timings.correlation?.script.start || timings.fetchEnd })
+    Object.defineProperty(timings, 'scriptEnd', { get: () => timings.correlation?.script.end || timings.registeredAt })
+  } catch (error) {
+    // Don't let stack parsing errors break anything
+  }
+
+  return timings
+}

package/src/common/{util/v2.js → v2/utils.js}

@@ -23,7 +23,7 @@ export const V2_TYPES = {
  * @returns {import("../../interfaces/registered-entity").RegisterAPIMetadataTarget[]}
  */
 export function getRegisteredTargetsFromId (id, agentRef) {
-  if (!id || !agentRef?.init.api.allow_registered_children) return []
+  if (!id || !agentRef?.init.api.register.enabled) return []
   const registeredEntities = agentRef.runtime.registeredEntities
   return registeredEntities?.filter(entity => String(entity.metadata.target.id) === String(id)).map(entity => entity.metadata.target) || []
 }
@@ -35,7 +35,7 @@ export function getRegisteredTargetsFromId (id, agentRef) {
  * @returns {import("../../interfaces/registered-entity").RegisterAPIMetadataTarget[]}
  */
 export function getRegisteredTargetsFromFilename (filename, agentRef) {
-  if (!filename || !agentRef?.init.api.allow_registered_children) return []
+  if (!filename || !agentRef?.init.api.register.enabled) return []
   const registeredEntities = agentRef.runtime.registeredEntities
   return registeredEntities?.filter(entity => entity.metadata.timings?.asset?.endsWith(filename)).map(entity => entity.metadata.target) || []
 }
@@ -83,7 +83,7 @@ export function getVersion2DuplicationAttributes (target, aggregateInstance) {
  * @returns {boolean} returns true if the event should be duplicated for the target, false otherwise
  */
 export function shouldDuplicate (target, aggregateInstance) {
-  return !!target && !!supportsV2(aggregateInstance) && aggregateInstance.agentRef.init.api.duplicate_registered_data
+  return !!target && !!supportsV2(aggregateInstance) && aggregateInstance.agentRef.init.api.register.duplicate_data_to_container
 }
 
 /**
@@ -92,7 +92,7 @@ export function shouldDuplicate (target, aggregateInstance) {
  * @returns {Array} An array of targets found from the stack trace. If no targets are found or allowed, returns an array with undefined.
  */
 export function findTargetsFromStackTrace (agentRef) {
-  if (!agentRef?.init.api.allow_registered_children) return [undefined]
+  if (!agentRef?.init.api.register.enabled) return [undefined]
 
   const targets = []
   try {

package/src/common/wrap/wrap-fetch.js

@@ -9,7 +9,7 @@
  */
 import { ee as baseEE, contextId } from '../event-emitter/contextual-ee'
 import { globalScope } from '../constants/runtime'
-import { findTargetsFromStackTrace } from '../util/v2'
+import { findTargetsFromStackTrace } from '../v2/utils'
 
 var prefix = 'fetch-'
 var bodyPrefix = prefix + 'body-'

package/src/common/wrap/wrap-function.js

@@ -9,7 +9,7 @@
 
 import { ee } from '../event-emitter/contextual-ee'
 import { bundleId } from '../ids/bundle-id'
-import { findTargetsFromStackTrace } from '../util/v2'
+import { findTargetsFromStackTrace } from '../v2/utils'
 
 export const flag = `nr@original:${bundleId}`
 const LONG_TASK_THRESHOLD = 50

package/src/common/wrap/wrap-xhr.js

@@ -14,7 +14,7 @@ import { eventListenerOpts } from '../event-listener/event-listener-opts'
 import { createWrapperWithEmitter as wfn } from './wrap-function'
 import { globalScope } from '../constants/runtime'
 import { warn } from '../util/console'
-import { findTargetsFromStackTrace } from '../util/v2'
+import { findTargetsFromStackTrace } from '../v2/utils'
 
 const wrapped = {}
 const XHR_PROPS = ['open', 'send'] // these are the specific funcs being wrapped on all XMLHttpRequests(.prototype)

package/src/features/ajax/aggregate/index.js

@@ -12,7 +12,7 @@ import { AggregateBase } from '../../utils/aggregate-base'
 import { parseGQL } from './gql'
 import { nullable, numeric, getAddStringContext, addCustomAttributes } from '../../../common/serialize/bel-serializer'
 import { gosNREUMOriginals } from '../../../common/window/nreum'
-import { getVersion2Attributes, getVersion2DuplicationAttributes, shouldDuplicate } from '../../../common/util/v2'
+import { getVersion2Attributes, getVersion2DuplicationAttributes, shouldDuplicate } from '../../../common/v2/utils'
 
 export class Aggregate extends AggregateBase {
   static featureName = FEATURE_NAME

package/src/features/generic_events/aggregate/index.js

@@ -14,7 +14,7 @@ import { applyFnToProps } from '../../../common/util/traverse'
 import { UserActionsAggregator } from './user-actions/user-actions-aggregator'
 import { isIFrameWindow } from '../../../common/dom/iframe'
 import { isPureObject } from '../../../common/util/type-check'
-import { getVersion2Attributes } from '../../../common/util/v2'
+import { getVersion2Attributes } from '../../../common/v2/utils'
 
 export class Aggregate extends AggregateBase {
   static featureName = FEATURE_NAME
@@ -259,6 +259,25 @@ export class Aggregate extends AggregateBase {
           this.addEvent(event)
         }, this.featureName, this.ee)
       }
+      if (!agentRef.init.feature_flags.includes('no_spv')) {
+        registerHandler('spv', (evt) => {
+          this.addEvent({
+            eventType: 'SecurityPolicyViolation',
+            timestamp: this.#toEpoch(evt.timeStamp),
+            blockedUri: evt.blockedURI,
+            documentUri: evt.documentURI,
+            effectiveDirective: evt.effectiveDirective,
+            originalPolicy: evt.originalPolicy,
+            sourceFile: evt.sourceFile,
+            statusCode: evt.statusCode,
+            lineNumber: evt.lineNumber,
+            columnNumber: evt.columnNumber,
+            disposition: evt.disposition,
+            sample: evt.sample,
+            referrer: evt.referrer
+          })
+        }, this.featureName, this.ee)
+      }
 
       this.drain()
     })

package/src/features/generic_events/instrument/index.js

@@ -27,6 +27,7 @@ export class Instrument extends InstrumentBase {
   constructor (agentRef) {
     super(agentRef, FEATURE_NAME)
     const websocketsEnabled = agentRef.init.feature_flags.includes('websockets')
+    const securityPolicyViolationEnabled = !agentRef.init.feature_flags.includes('no_spv')
 
     /** config values that gate whether the generic events aggregator should be imported at all */
     const genericEventSourceConfigs = [
@@ -35,7 +36,8 @@ export class Instrument extends InstrumentBase {
       agentRef.init.performance.capture_measures,
       agentRef.init.performance.resources.enabled,
       agentRef.init.user_actions.enabled,
-      websocketsEnabled
+      websocketsEnabled,
+      securityPolicyViolationEnabled
     ]
 
     /** feature specific APIs */
@@ -45,8 +47,24 @@ export class Instrument extends InstrumentBase {
     setupRegisterAPI(agentRef)
     setupMeasureAPI(agentRef)
 
-    let historyEE, websocketsEE
-    if (websocketsEnabled) websocketsEE = wrapWebSocket(this.ee)
+    this.removeOnAbort = new AbortController()
+    this.abortHandler = () => {
+      this.removeOnAbort.abort()
+      this.abortHandler = undefined // weakly allow this abort op to run only once
+    }
+
+    let historyEE
+    if (websocketsEnabled) { // this can apply outside browser scope such as in worker
+      const websocketsEE = wrapWebSocket(this.ee)
+      websocketsEE.on('ws', (nrData) => {
+        handle('ws-complete', [nrData], undefined, this.featureName, this.ee)
+      })
+    }
+    if (securityPolicyViolationEnabled) {
+      globalScope.addEventListener('securitypolicyviolation', (evt) => {
+        handle('spv', [evt], undefined, FEATURE_NAMES.genericEvents, this.ee)
+      }, eventListenerOpts(false, this.removeOnAbort.signal))
+    }
     if (isBrowserScope) {
       wrapFetch(this.ee, agentRef)
       wrapXhr(this.ee, agentRef)
@@ -65,7 +83,7 @@ export class Instrument extends InstrumentBase {
 
         globalScope.addEventListener('error', () => {
           handle('uaErr', [], undefined, FEATURE_NAMES.genericEvents, this.ee)
-        }, eventListenerOpts(false, this.removeOnAbort?.signal))
+        }, eventListenerOpts(false, this.removeOnAbort.signal))
 
         this.ee.on('open-xhr-start', (args, xhr) => {
           if (!isInternalTraffic(args[1])) {
@@ -73,7 +91,7 @@ export class Instrument extends InstrumentBase {
               if (xhr.readyState === 2) { // HEADERS_RECEIVED
                 handle('uaXhr', [], undefined, FEATURE_NAMES.genericEvents, this.ee)
               }
-            })
+            }, eventListenerOpts(undefined, this.removeOnAbort.signal))
           }
         })
         this.ee.on('fetch-start', (fetchArguments) => {
@@ -89,8 +107,8 @@ export class Instrument extends InstrumentBase {
 
         historyEE.on('pushState-end', navigationChange)
         historyEE.on('replaceState-end', navigationChange)
-        window.addEventListener('hashchange', navigationChange, eventListenerOpts(true, this.removeOnAbort?.signal))
-        window.addEventListener('popstate', navigationChange, eventListenerOpts(true, this.removeOnAbort?.signal))
+        window.addEventListener('hashchange', navigationChange, eventListenerOpts(true, this.removeOnAbort.signal))
+        window.addEventListener('popstate', navigationChange, eventListenerOpts(true, this.removeOnAbort.signal))
 
         function navigationChange () {
           historyEE.emit('navChange')
@@ -109,21 +127,6 @@ export class Instrument extends InstrumentBase {
         })
       }
     }
-    if (websocketsEnabled) { // this can apply outside browser scope such as in worker
-      websocketsEE.on('ws', (nrData) => {
-        handle('ws-complete', [nrData], undefined, this.featureName, this.ee)
-      })
-    }
-
-    try {
-      this.removeOnAbort = new AbortController()
-    } catch (e) {}
-
-    this.abortHandler = () => {
-      this.removeOnAbort?.abort()
-      this.abortHandler = undefined // weakly allow this abort op to run only once
-    }
-
     /** If any of the sources are active, import the aggregator. otherwise deregister */
     if (genericEventSourceConfigs.some(x => x)) this.importAggregator(agentRef, () => import(/* webpackChunkName: "generic_events-aggregate" */ '../aggregate'))
     else this.deregisterDrain()