Auth0.js CDN missing necessary CORS header to enforce Subresource Integrity

I was trying to add to our script tag that fetches auth0.js from the CDN to enforce Subresource Integrity but the CDN response for this resource lacks the Access-Control-Allow-Origin header.

Because of this, the browser (Chrome in this case) will fail to fetch the resource with a message like:

Access to script at 'https://cdn.auth0.com/js/auth0/9.1.2/auth0.min.js' from origin 'https://foo.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Here is an example of the script tag I was trying to use:

<script src="https://cdn.auth0.com/js/auth0/9.1.2/auth0.min.js" integrity="sha384-ctm6aP6727UJVSa0lS+z0WcOZ8KVU9LtKFN6oZMbnf2lXRpg8mmNi/q0DYWEMhUD" crossorigin="anonymous"></script>

The solution should be as simple as configuring the CDN to respond with the following in the response headers:

Access-Control-Allow-Origin: *

Let me reach out to our auth0.js tool maintainers to see what we can do about that!

1 Like

Hey again @ghills!

Talked with a few times but it seems like a more cross-team collaboration effort and will need a bit more time for it. Will get back to you as soon as I have info to share!

Thanks for pursuing this one @konrad.sopala

No worries! We’re here for you!

1 Like

Hi @konrad.sopala - is there any update on this?

Hey there @ghills!

Sorry for the delay but the wave of topics recently is quite huge. Thanks for understanding!

I reached out to the team and it seems that it’s a multi-team collaboration effort. They added it to their backlog and it seems that there are a few security implications they’re currently checking. Will let you know as soon as we have it worked out!

Hey @konrad.sopala, just popping in for an update on this feature request

Let me follow up on that with the team!

Any update on this? Seems to be open from long time

1 Like

Bump.

Any update? I’m hesitant about keeping auth0 in production without this.

Hi @konrad.sopala

Any update?