I didn't mean to marinate this pr in "in review". I'm going to approve it, and we should merge it and take advantage of all the improvements listed.
I'm struggling with the fact the dataverse page still would not load under silent challenges, unless the browser already has a valid challenge session from another window. This cannot be addressed from inside this javascript, I'm pretty positive, meaning that it's outside of the scope of this pr. (And the javascript is now working consistently with a valid challenge session, which was not the case previously).
I was able to take it one step further:
With the current recommended setup, if the browser has not yet answered the challenge in another window, it fails to retrieve the widgets.js itself (for whatever reason), and then nothing happens. But if I put the javascript fragment itself someplace challenge-free, the browsers gets it and actually tries to load the page, and then fails with the "Max challenge attempts". I.e., in this case it does actually retrieve the challenge.js javascript and makes an honest effort to respond to it. ... Which makes me think that there may in fact be a way to figure out why it's failing, and address it, by tweaking the behavior of the page on the dataverse end.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
  <head>
    widgets test
  </head>
  <body>
    <h2>Widgets Test</h2>

    <script id="dataverse-widget-js" src="https://dataverse.harvard.edu/api/resources/js/widgets.js?alias=king&amp;dvUrl=https://dataverse.harvard.edu&amp;widgetScope=king&amp;widget=iframe&amp;heightPx=500"></script>
  </body>
</html>

FWIW: AWS does have Javascript you can add to respond to challenges triggered by fetches that your JavaScript does. There may be a little bit of chicken and egg if we don't want to require pasting their code into the host page, but I think that could be avoided by hosting widget.js itself elsewhere. If it isn't possible to just tweak the WAF challenge rules to avoid the issue we could look into this.

The widgets.js itself is not a problem. We could put it on a different server off course. But in my experiments I just put it under an exempt location in prod. (as in the static html I posted)

... If it isn't possible to just tweak the WAF challenge rules

Loading the contents of the widget is a GET on dataverse.xhtml, our most crawled and abused page. I've been assuming there is no safe way of tweaking the rules in this case. Did you have a specific solution in mind? We could set up a "secret" alias for the page reserved for the widgets use, but that would only be "safe until discovered".

I'll be happy to experiment with the javascript aws provides. But I'm not sure it's going to help us here. Since the browser is already trying, but failing to respond to the challenge. (will look into this)
My uneducated working theory is that this "Max challenge attempts exceeded" condition is caused by extra server-side redirects. So I'm going to try and see if there are some redirects that the page makes when in widget mode (?) that can be eliminated.

This is not at the top of my stack r/n, but I want to find a solution eventually.

FWIW: I was thinking of this: https://docs.aws.amazon.com/waf/latest/developerguide/waf-js-challenge-api.html Seems like a way to pass the challenge before other page activity tries to access the protected site. Not sure it covers iframe loads, but it does look like it could cover widget.js doing a get of dataverse.xhtml and then writing into the iframe - or something. I haven't done any experimentation.

Cool, I'll experiment with that.

Looks good

FWIW, I've tried to experiment with the AWS-recommended approach.
Set up a static page with the
<script type="text/javascript" src="...our aws challenge url.../challenge.js” defer></script>
in the <head> section.
it looks like I can now insert const token = AwsWafIntegration.getToken(); into widgets.js; but I haven't been able to get it to send the obtained result as the x-aws-waf-token cookie when populating the iframe... So, I guess I do need to rewrite that js to explicitly use the fetch api to read dataverse.xhtml.