Auth0 Home Blog Docs

Subresource Integrity of Auth0 JS files included in the hosted login page

I have a query regarding Subresource Integrity of the Auth0 js files in the hosted login page.

I have generated the SRI via

E.g. for this script – which is included in the hosted page

<script src=""></script>

I have generated the following

<script src="" integrity="sha384-HQ5n7jbZ6bcCJjBg1VUZrtQk6nj6kJk+aPtT1ndxc3PG06jmN7smZ4vKwQq9yvGF" crossorigin="anonymous"></script>

But when this is included in the hosted page I get the following CORS error

"Access to script at “” from origin has been blocked by CORS policy. No-Access-Control-Allow-Origin’ header present on the requested resource.

I have looked into the configuration for the tenants but can not find any settings where I could override this or specific anything for CORS

There is a configuration option at Application level in the Auth0 tenant to Allowed Origins (CORS) but I can not find one for the hosted pages.

Has anyone come across this issue. Help really appreciated. This was something that was identified by a Pentest that we carried out recently against our application.

Many Thanks.