Can't use integrity script attribute | Community
Skip to main content

Can't use integrity script attribute

  • March 14, 2024
  • 5 replies
  • 11 views
Oriol11

Hello

I am trying to build a Zendesk app and followed the steps in this guide:

https://developer.zendesk.com/documentation/apps/getting-started/using-zcli/

The `iframe.html` file includes a script tag. As a security measure, I'm required by my company to add an integrity attribute to this script tag with a hash to verify the script has not been manipulated.

<scripttype="text/javascript"src="https://assets.zendesk.com/apps/sdk/2.0/zaf_sdk.js"

integrity="sha256-WHVWWMLV1MeI0XWqHvUm6vA8imQw6GsC/2dB6Cwx0OE="crossorigin="anonymous"></script>
 
 

However, doing this introduces CORS errors when I run the app locally. I didn't try it yet, but I assume the same will happen if I deploy it.

Access to script at 'https://assets.zendesk.com/apps/sdk/2.0/zaf_sdk.js' from origin 'http://localhost:4567' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

 

To fix this, I believe the server hosting the script should include the `Access-Control-Allow-Origin` header.

Is there a way to fix this or am I unable to use the integrity attribute?

Thank you

 

    5 replies

    Tipene
    • Tipene
    • March 19, 2024

    Hey Oriol,

    I've done some testing on my end and while I see the errors when testing locally using the integrity attribute, the app functions correctly when deployed to the Zendesk instance. Can you give this a try on your end and see how you go?

    Oriol11
    • Oriol11
    • Author
    • March 19, 2024

    Hi Tipene

    I tried that and it works. But in fact, now it works even when running locally because I changed the URL of the script ot this one

    <script
    src="https://static.zdassets.com/zendesk_app_framework_sdk/2.0/zaf_sdk.min.js"
    integrity="sha256-WHVWWMLV1MeI0XWqHvUm6vA8imQw6GsC/2dB6Cwx0OE="
    crossorigin="anonymous">
    </script>

    As described in this guide:

    https://developer.zendesk.com/documentation/apps/app-developer-guide/using-the-apps-framework/

    The URL there is different from the one we get out of the box when using the ZCLI command to create the application skeleton files.

     

    Tipene
    • Tipene
    • March 20, 2024
    Hi Oriol,
     
    Glad to hear you've got it working! Can you let me know the specific app scaffold you're using? Is it just the basic files or the react files? On my end, the script included with the scaffold should be the same as you have, but I'll take a look at the source just to be sure.
    Oriol11
    • Oriol11
    • Author
    • March 20, 2024

    Hi Tipene, it's the react scaffold. I think this line is the culprit:

    https://github.com/zendesk/app_scaffold/blob/c60b050ec30c6105109d89aab1b5b4b3f0ff39fc/webpack.config.js#L10

    Tipene
    • Tipene
    • March 21, 2024
    Awesome, thanks for pointing that out! I'll work with our product team to see if this needs updating.
     
    Thanks again!
     
    Tipene
    Terms & ConditionsCookie settingsAccessibility statement