fix: Allow scripts and styles to load cross-origin, e.g. from Google Translate #215
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I noticed that neither scripts nor styles of my websites were loading when somebody attempted to translate an article via Google Translate. That's due to
enableFingerprint = true
configuration option - it doesn't merely enable fingerprinting but also Subresource Integrity. Turns out, cross-origin requests withintegrity
attribute are blocked by default, otherwise these could be misused to leak information.The solution consists of two parts:
crossorigin="anonymous"
attribute to the requests in question (done here).Access-Control-Allow-Origin: *
header to JS/CSS requests - has to be done in server configuration.The second part probably needs documenting. The other option would be to separate fingerprinting (useful by itself to avoid using outdated scripts/styles) and Subresource Integrity in the configuration.