You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, in the final DOM output, the crossorigin prop is not being emitted. Copying from the Vue Dev tool on Chrome the following attributes are shown for the script2 tag I see all relevant props (src, integrity, crossorigin) are being set properly:
As you can see, the crossorigin is being dropped and this prevents most uses of SRI from working since in most cases a CORS preflight has to be done (e.g. when loading script from a CDN). The following error is thrown in Chrome when trying to load the page with this script tag:
Subresource Integrity: The resource 'https://cdnjs.cloudflare.com/ajax/libs/zxcvbn/4.3.0/zxcvbn.js' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has been blocked because the integrity cannot be enforced.
vue-script2.js?4ec5:84
Uncaught (in promise) Error: https://cdnjs.cloudflare.com/ajax/libs/zxcvbn/4.3.0/zxcvbn.js(…)
s.onerror @ vue-script2.js?4ec5:84
For testing you can generate valid SRI hash easily using this tool:
This is very weird. As you can seecrossorigin should be being included...
BTW, it's nice to see someone using the integrity attribute. Bought damn time! (Especially for JS served by CloudFlare!)
Haven't much time right now to look deeply into this, but here, try adding a line near here along the lines of s.crossorigin = opts.crossorigin to set it using = instead of _.defaults2 and let me know if it works.
I am trying the following tag:
However, in the final DOM output, the
crossorigin
prop is not being emitted. Copying from the Vue Dev tool on Chrome the following attributes are shown for the script2 tag I see all relevant props (src, integrity, crossorigin) are being set properly:But the DOM outputs:
As you can see, the
crossorigin
is being dropped and this prevents most uses of SRI from working since in most cases a CORS preflight has to be done (e.g. when loading script from a CDN). The following error is thrown in Chrome when trying to load the page with this script tag:For testing you can generate valid SRI hash easily using this tool:
https://www.srihash.org/
And you can learn more about SRI here:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
The text was updated successfully, but these errors were encountered: