You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The two websites include a javascript on the same origin with an SRI hash, and are almost identical. The only difference is that t0 uses src="/test.js" (leading slash), while t1 other uses src="test.js" (no slash). The latter gets several warnings from Hardenize ("Invalid local SRI CORS configuration", "Invalid remote SRI CORS configuration", "Invalid SRI configuration").
This is probably a bug in Hardenize that somehow interprets the src without the slash as a remote origin. The javascript is fetched from the same origin, therefore no CORS is necessary.
The text was updated successfully, but these errors were encountered:
I recently got a warning about SRI/CORS that I believe is a bug in Hardenize.
I have reduced it to a simplified example. Compare these:
The two websites include a javascript on the same origin with an SRI hash, and are almost identical. The only difference is that t0 uses src="/test.js" (leading slash), while t1 other uses src="test.js" (no slash). The latter gets several warnings from Hardenize ("Invalid local SRI CORS configuration", "Invalid remote SRI CORS configuration", "Invalid SRI configuration").
This is probably a bug in Hardenize that somehow interprets the src without the slash as a remote origin. The javascript is fetched from the same origin, therefore no CORS is necessary.
The text was updated successfully, but these errors were encountered: