I have a query regarding Subresource Integrity of the Auth0 js files in the hosted login page.
I have generated the SRI via https://www.srihash.org/
E.g. for this script – which is included in the hosted page
I have generated the following
<script src="https://cdn.auth0.com/js/auth0/9.2/auth0.min.js" integrity="sha384-HQ5n7jbZ6bcCJjBg1VUZrtQk6nj6kJk+aPtT1ndxc3PG06jmN7smZ4vKwQq9yvGF" crossorigin="anonymous"></script>
But when this is included in the hosted page I get the following CORS error
"Access to script at “https://cdn.auth0.com/js/auth0/9.2/auth0.min.js” from origin has been blocked by CORS policy. No-Access-Control-Allow-Origin’ header present on the requested resource.
I have looked into the configuration for the tenants but can not find any settings where I could override this or specific anything for CORS
There is a configuration option at Application level in the Auth0 tenant to Allowed Origins (CORS) but I can not find one for the hosted pages.
Has anyone come across this issue. Help really appreciated. This was something that was identified by a Pentest that we carried out recently against our application.