Auth0.min.js version 9.15.0 does not support CORS

The latest deployed release of auth0.min.js (version 9.15.0) does not support CORS and therefore third-party subresource integrity hash generators cannot be used.

https://cdn.auth0.com/js/auth0/9.15.0/auth0.min.js does not work with https://www.srihash.org/ and the SRI generator claims it’s because the URL does not support CORS.

All prior versions of auth0.min.js worked just fine with third-party SRI hash generators, so something is different about the way this latest release was deployed.

Please fix this!

1 Like

Hi @Paton,

In order to confirm when the change was introduced, does the CORS issue occur when reverted to the very last version (9.14.3)?

Also, are you using auth0.js in an embedded login form or in a customized Universal Login?

Looking at the repo, it looks like the changes made in version 9.15.0 were:

  • Apply secure flag to cookies when running on https protocol
  • Add onRedirecting login hook
  • Add support for the new Organizations feature that’s currently in beta

Can confirm that 9.14.3 does not have this problem. 9.15 does not return the required CORS header.

You are now sending the right CORS information to permit subresource integrity hash generation. Looks like you fixed the problem with that URL, thanks. Hopefully you also fixed the bug in your deployment tools/config?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.