Auth0.min.js version 9.15.0 does not support CORS

Paton · April 10, 2021, 12:47am

The latest deployed release of auth0.min.js (version 9.15.0) does not support CORS and therefore third-party subresource integrity hash generators cannot be used.

https://cdn.auth0.com/js/auth0/9.15.0/auth0.min.js does not work with https://www.srihash.org/ and the SRI generator claims it’s because the URL does not support CORS.

All prior versions of auth0.min.js worked just fine with third-party SRI hash generators, so something is different about the way this latest release was deployed.

Please fix this!

stephanie.chamblee · April 12, 2021, 11:22am

Hi @Paton,

In order to confirm when the change was introduced, does the CORS issue occur when reverted to the very last version (9.14.3)?

Also, are you using auth0.js in an embedded login form or in a customized Universal Login?

Looking at the repo, it looks like the changes made in version 9.15.0 were:

Apply secure flag to cookies when running on https protocol
Add onRedirecting login hook
Add support for the new Organizations feature that’s currently in beta

harrisonm · April 13, 2021, 8:50pm

Can confirm that 9.14.3 does not have this problem. 9.15 does not return the required CORS header.

Paton · April 19, 2021, 7:01am

You are now sending the right CORS information to permit subresource integrity hash generation. Looks like you fixed the problem with that URL, thanks. Hopefully you also fixed the bug in your deployment tools/config?

system · May 4, 2021, 7:02am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.