Auth0 Home Blog Docs

Subresource Integrity of Auth0 JS files included in the hosted login page

I have a query regarding Subresource Integrity of the Auth0 js files in the hosted login page.

I have generated the SRI via https://www.srihash.org/

E.g. for this script – which is included in the hosted page

<script src="https://cdn.auth0.com/js/auth0/9.2/auth0.min.js"></script>

I have generated the following

<script src="https://cdn.auth0.com/js/auth0/9.2/auth0.min.js" integrity="sha384-HQ5n7jbZ6bcCJjBg1VUZrtQk6nj6kJk+aPtT1ndxc3PG06jmN7smZ4vKwQq9yvGF" crossorigin="anonymous"></script>

But when this is included in the hosted page I get the following CORS error

"Access to script at “https://cdn.auth0.com/js/auth0/9.2/auth0.min.js” from origin has been blocked by CORS policy. No-Access-Control-Allow-Origin’ header present on the requested resource.

I have looked into the configuration for the tenants but can not find any settings where I could override this or specific anything for CORS

There is a configuration option at Application level in the Auth0 tenant to Allowed Origins (CORS) but I can not find one for the hosted pages.

Has anyone come across this issue. Help really appreciated. This was something that was identified by a Pentest that we carried out recently against our application.

Many Thanks.