I was trying to add to our script tag that fetches auth0.js from the CDN to enforce Subresource Integrity but the CDN response for this resource lacks the Access-Control-Allow-Origin header.
Because of this, the browser (Chrome in this case) will fail to fetch the resource with a message like:
Access to script at 'https://cdn.auth0.com/js/auth0/9.1.2/auth0.min.js' from origin 'https://foo.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Here is an example of the script tag I was trying to use:
Talked with a few times but it seems like a more cross-team collaboration effort and will need a bit more time for it. Will get back to you as soon as I have info to share!
Sorry for the delay but the wave of topics recently is quite huge. Thanks for understanding!
I reached out to the team and it seems that it’s a multi-team collaboration effort. They added it to their backlog and it seems that there are a few security implications they’re currently checking. Will let you know as soon as we have it worked out!