web-vitals.attribution.iife.js does not inherit `crossorigin` attribute from parent Universal-Federated-Analytics-Min.js script

[mdmower-csnw]

On websites where cross-origin-embedder-policy is set to require-corp (MDN ref), it should be possible to add attribute crossorigin to the DAP script tag to ensure the response satisfies the policy. For example,

<script id="_fed_an_ua_tag" async crossorigin="" src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?agency=DOT"></script>

While this works for Universal-Federated-Analytics-Min.js, dynamically added script https://dap.digitalgov.gov/web-vitals/dist/web-vitals.attribution.iife.js does not include this attribute, nor does its response include any CORS headers, and so it is blocked from loading:

[mdmower-csnw]

In case anyone stumbles across this, the workaround for now is to set cross-origin-embedder-policy to credentialless. See MDN for more information about this value.