I was trying to add to our script tag that fetches auth0.js from the CDN to enforce Subresource Integrity but the CDN response for this resource lacks the
Because of this, the browser (Chrome in this case) will fail to fetch the resource with a message like:
Access to script at 'https://cdn.auth0.com/js/auth0/9.1.2/auth0.min.js' from origin 'https://foo.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Here is an example of the script tag I was trying to use:
<script src="https://cdn.auth0.com/js/auth0/9.1.2/auth0.min.js" integrity="sha384-ctm6aP6727UJVSa0lS+z0WcOZ8KVU9LtKFN6oZMbnf2lXRpg8mmNi/q0DYWEMhUD" crossorigin="anonymous"></script>
The solution should be as simple as configuring the CDN to respond with the following in the response headers: