From 0460a816bbe7012bb72c5a480142a0501a08d51e Mon Sep 17 00:00:00 2001
From: OneSignal <noreply@onesignal.com>
Date: Mon, 23 Feb 2026 17:57:46 +0000
Subject: [PATCH] feat: add support for overriding OneSignal script src

---
 index.ts | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/index.ts b/index.ts
index 15043981..ed5d141c 100644
--- a/index.ts
+++ b/index.ts
@@ -1,17 +1,12 @@
 const ONESIGNAL_SDK_ID = 'onesignal-sdk';
-const ONE_SIGNAL_SCRIPT_SRC =
+const DEFAULT_SCRIPT_SRC =
   'https://cdn.onesignal.com/sdks/web/v16/OneSignalSDK.page.js';
 
-// true if the script is successfully loaded from CDN.
 let isOneSignalInitialized = false;
-// true if the script fails to load from CDN. A separate flag is necessary
-// to disambiguate between a CDN load failure and a delayed call to
-// OneSignal#init.
 let isOneSignalScriptFailed = false;
 
 if (typeof window !== 'undefined') {
   window.OneSignalDeferred = window.OneSignalDeferred || [];
-  addSDKScript();
 }
 
 declare global {
@@ -30,11 +25,15 @@ function handleOnError() {
   isOneSignalScriptFailed = true;
 }
 
-function addSDKScript() {
+function addSDKScript(scriptSrc?: string) {
+  if (document.getElementById(ONESIGNAL_SDK_ID)) {
+    return;
+  }
+
   const script = document.createElement('script');
   script.id = ONESIGNAL_SDK_ID;
   script.defer = true;
-  script.src = ONE_SIGNAL_SCRIPT_SRC;
+  script.src = scriptSrc || DEFAULT_SCRIPT_SRC;
 
   // Always resolve whether or not the script is successfully initialized.
   // This is important for users who may block cdn.onesignal.com w/ adblock.
@@ -112,6 +111,8 @@ const init = (options: IInitObject): Promise<void> => {
     options.welcomeNotification.disable = options.welcomeNotification.disabled;
   }
 
+  addSDKScript(options.scriptSrc);
+
   return new Promise<void>((resolve, reject) => {
     window.OneSignalDeferred?.push((OneSignal) => {
       OneSignal.init(options)
@@ -457,6 +458,13 @@ export interface IInitObject {
   serviceWorkerParam?: { scope: string };
   serviceWorkerPath?: string;
   serviceWorkerOverrideForTypical?: boolean;
+  /**
+   * Overrides the default OneSignal SDK script URL.
+   * Use this to self-host the SDK script on your own domain, e.g. to comply
+   * with strict Cross-Origin-Embedder-Policy (COEP) or Content-Security-Policy (CSP) headers.
+   * @default 'https://cdn.onesignal.com/sdks/web/v16/OneSignalSDK.page.js'
+   */
+  scriptSrc?: string;
   [key: string]: unknown;
 }