Subresource Integrity of Auth0 JS files included in the hosted login page

I have a query regarding Subresource Integrity of the Auth0 js files in the hosted login page.

I have generated the SRI via https://www.srihash.org/

E.g. for this script – which is included in the hosted page

<script src="https://cdn.auth0.com/js/auth0/9.2/auth0.min.js&quot;&gt;&lt;/script&gt;

I have generated the following

<script src="https://cdn.auth0.com/js/auth0/9.2/auth0.min.js&quot; integrity="sha384-HQ5n7jbZ6bcCJjBg1VUZrtQk6nj6kJk+aPtT1ndxc3PG06jmN7smZ4vKwQq9yvGF" crossorigin="anonymous"></script>

But when this is included in the hosted page I get the following CORS error

"Access to script at “https://cdn.auth0.com/js/auth0/9.2/auth0.min.js” from origin has been blocked by CORS policy. No-Access-Control-Allow-Origin’ header present on the requested resource.

I have looked into the configuration for the tenants but can not find any settings where I could override this or specific anything for CORS

There is a configuration option at Application level in the Auth0 tenant to Allowed Origins (CORS) but I can not find one for the hosted pages.

Has anyone come across this issue. Help really appreciated. This was something that was identified by a Pentest that we carried out recently against our application.

Many Thanks.

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?