Theme CSS missing crossorigin="anonymous"

[prenagha]

If you run the same hugo deploy on multiple URLs like I do then you run into this problem where the theme style sheet can't be loaded. The stylesheet link tag as the integrity attribute which is great, but is missing the crossorigin="anonymous". You will see the other stylesheets that have integrity have that attribute. It only really matters that it is missing when the URL of the page is not the same domain as the theme stylesheet URL, which in my case does happen. Pull request for fix on the way.

Subresource Integrity: The resource 'https://example/css/coder.min.578f8f...8135600.css' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has been blocked because the integrity cannot be enforced.

[khos2ow]

What's your use case that you end up deploying one build on multiple URLs?

[prenagha]

I am deploying my personal site to
www.example.com
and example.com for example
I actually have three personal domains (.com, .net. .org) and I am deploying to www. and root on all of those
I am testing the fix in my fork right now and will open a pull request for folks to look at here and see if they want to incorporate.

[luizdepra]

Interesting use case. But isn't simpler if you just redirect every other address to a main one?

Anyway, thanks.

[prenagha]

Yes, perhaps, I am investigating that now. But thought this change was warranted regardless, to at least make the CSS links consitent. Thanks for merging.

[khos2ow]

Although I think this approach is not a good idea, specially that it confuses search engines as well as users, and also it reduces the overall SEO score (which on a personal site might not be that relevant) but I agree with @luizdepra to pick one to be the source of truth and redirect every combination of .net, .org, with or without www, even with or without SSL, to that one single site (let's say https://example.com).

If you still want to keep the same setup I still don't know how you proceed with selecting one resources to be the source of css files. How other sites are going to reference to it? How did you build the site for other setup in the first place? The very first thing I was thinking about when you opened the issue was to generate the site multiple times with passing additional base URL flag:

$: hugo --baseURL=http://www.example.com && scp ...
$: hugo --baseURL=http://www.example.net && scp ...
$: hugo --baseURL=http://www.example.org && scp ...

but this still doesn't solve for with and without www.

Anyway, addition of this PR is super awesome but I believe your setup can be improved.

[prenagha]

Absent my particular example of multiple top level domains, you still have the common situation of www and root domains both accessing the same running web site. Commonly a CNAME redirects one to the other. So needing to deal with the possibility of the URL domain not matching the hugo baseUrl is not going to be that exceptional. And this patch makes consistent the handling of CSS link elements, if you specify integrity (which is good), it is always best practice to also specify the crossorigin attribute.

[khos2ow]

Yes, I totally agree on that part.