Auth0.js CDN missing necessary CORS header to enforce Subresource Integrity

I was trying to add to our script tag that fetches auth0.js from the CDN to enforce Subresource Integrity but the CDN response for this resource lacks the Access-Control-Allow-Origin header.

Because of this, the browser (Chrome in this case) will fail to fetch the resource with a message like:

Access to script at 'https://cdn.auth0.com/js/auth0/9.1.2/auth0.min.js' from origin 'https://foo.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Here is an example of the script tag I was trying to use:

<script src="https://cdn.auth0.com/js/auth0/9.1.2/auth0.min.js" integrity="sha384-ctm6aP6727UJVSa0lS+z0WcOZ8KVU9LtKFN6oZMbnf2lXRpg8mmNi/q0DYWEMhUD" crossorigin="anonymous"></script>

The solution should be as simple as configuring the CDN to respond with the following in the response headers:

Access-Control-Allow-Origin: *

Let me reach out to our auth0.js tool maintainers to see what we can do about that!

Hey again @ghills!

Talked with a few times but it seems like a more cross-team collaboration effort and will need a bit more time for it. Will get back to you as soon as I have info to share!

Thanks for pursuing this one @konrad.sopala

No worries! We’re here for you!

Hi @konrad.sopala - is there any update on this?

Hey there @ghills!

Sorry for the delay but the wave of topics recently is quite huge. Thanks for understanding!

I reached out to the team and it seems that it’s a multi-team collaboration effort. They added it to their backlog and it seems that there are a few security implications they’re currently checking. Will let you know as soon as we have it worked out!

Hey @konrad.sopala, just popping in for an update on this feature request

Let me follow up on that with the team!

Any update on this? Seems to be open from long time

Bump.

Any update? I’m hesitant about keeping auth0 in production without this.

Hi @konrad.sopala

Any update?