Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subresource Integrity failures when using ASSET_URL #1426

Closed
mnightingale opened this issue Apr 24, 2024 · 3 comments · Fixed by #1427
Closed

Subresource Integrity failures when using ASSET_URL #1426

mnightingale opened this issue Apr 24, 2024 · 3 comments · Fixed by #1427
Labels
bug

Comments

@mnightingale
Copy link

Horizon Version

5.24.3

Laravel Version

10.48.9

PHP Version

8.3.6

Redis Driver

PhpRedis

Redis Version

6.0.2

Database Driver & Version

No response

Description

Related #1421

I have a deployment using a CDN via ASSET_URL=https:://cdn.domain.com but I'm running into CORs issues.

Chrome reports:

Subresource Integrity: The resource 'https://cdn.domain.com/vendor/horizon/styles.css' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has been blocked because the integrity cannot be enforced.

CORs is confusing but I resolve for the main site using AppServiceProvider with the following, but all my customisations via the Vite facade appear to be ignored within horizon including createAssetPathsUsing which I hoped could be an alternative to exclude horizon paths from using the CDN altogether.

Vite::useStyleTagAttributes(['crossorigin' => 'anonymous'])
  ->useScriptTagAttributes(['crossorigin' => 'anonymous'])

I'm not sure how to fix it but it looks like

horizon/resources/views/layout.blade.php

Lines 1 to 21 in bf3c4a8

@php
use Illuminate\Support\Facades\Vite;
use Illuminate\Foundation\Vite as ViteFoundation;
$nonExistentFileName = '/vendor/horizon/nonExistentFile';
$vite = new ViteFoundation();
$vite->useHotFile($nonExistentFileName);
$viteDataSchemeLight = new ViteFoundation();
$viteDataSchemeLight->useHotFile($nonExistentFileName);
$viteDataSchemeLight->useStyleTagAttributes([
'data-scheme' => 'light',
]);
$viteDataSchemeDark = new ViteFoundation();
$viteDataSchemeDark->useHotFile($nonExistentFileName);
$viteDataSchemeDark->useStyleTagAttributes([
'data-scheme' => 'dark',
]);
@endphp
may create it's own instance ignoring all customisations, perhaps that should somehow clone and extend the users defaults or at least have a way to apply customisations?

For now I've reverted to 5.24.2 which doesn't have integrity attributes so loads without issue.

Steps To Reproduce

Access assets via a different domain, i.e ASSET_URL=https://cdn.domain.com and try to access the horizon dashboard.
@mnightingale
Copy link
Author

Something else I've noticed is vite is configured to not have hashes in filenames,presumably to keep git cleaner but assets will be non-cache-busting.

Not sure if there is a way to get vite to handle it, or createAssetPathsUsing appending Vite::manifestHash() to the query string?

mmachatschek added a commit to mmachatschek/horizon that referenced this issue Apr 24, 2024
@mmachatschek
Fix setting custom ASSET_URLs and support cache busting without integ…
a6720ac 
…rity check

Fixes laravel#1425
Fixes laravel#1426
@mmachatschek mmachatschek mentioned this issue Apr 24, 2024
Merged
@mmachatschek
Copy link
Contributor

@mnightingale PR#1427 should solve your issue

@driesvints driesvints added the bug label Apr 25, 2024
@hanicab
Copy link

hanicab commented Apr 29, 2024

I have the same issue, thank you

taylorotwell pushed a commit that referenced this issue Apr 29, 2024
@mmachatschek
Fix setting custom ASSET_URLs and support cache busting without integ…
1b5a027 
…rity check (#1427)

Fixes #1425
Fixes #1426
@ValCanBuild ValCanBuild mentioned this issue May 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
4 participants
@driesvints @mnightingale @mmachatschek @hanicab