Recent searches

No recent searches

Can't use integrity script attribute

image avatar

Oriol Pericas

Posted Mar 14, 2024

Hello

I am trying to build a Zendesk app and followed the steps in this guide:

https://developer.zendesk.com/documentation/apps/getting-started/using-zcli/

The `iframe.html` file includes a script tag. As a security measure, I'm required by my company to add an integrity attribute to this script tag with a hash to verify the script has not been manipulated.

<scripttype="text/javascript"src="https://assets.zendesk.com/apps/sdk/2.0/zaf_sdk.js"

integrity="sha256-WHVWWMLV1MeI0XWqHvUm6vA8imQw6GsC/2dB6Cwx0OE="crossorigin="anonymous"></script>
 
 

However, doing this introduces CORS errors when I run the app locally. I didn't try it yet, but I assume the same will happen if I deploy it.

Access to script at 'https://assets.zendesk.com/apps/sdk/2.0/zaf_sdk.js' from origin 'http://localhost:4567' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

 

To fix this, I believe the server hosting the script should include the `Access-Control-Allow-Origin` header.

Is there a way to fix this or am I unable to use the integrity attribute?

Thank you

 

0

5

5 comments

Date
    image avatar

    Tipene Hughes

    Zendesk Developer Advocacy

    Hey Oriol,

    I've done some testing on my end and while I see the errors when testing locally using the integrity attribute, the app functions correctly when deployed to the Zendesk instance. Can you give this a try on your end and see how you go?

    0

    image avatar

    Oriol Pericas

    Hi Tipene

    I tried that and it works. But in fact, now it works even when running locally because I changed the URL of the script ot this one

    <script
    src="https://static.zdassets.com/zendesk_app_framework_sdk/2.0/zaf_sdk.min.js"
    integrity="sha256-WHVWWMLV1MeI0XWqHvUm6vA8imQw6GsC/2dB6Cwx0OE="
    crossorigin="anonymous">
    </script>

    As described in this guide:

    https://developer.zendesk.com/documentation/apps/app-developer-guide/using-the-apps-framework/

    The URL there is different from the one we get out of the box when using the ZCLI command to create the application skeleton files.

     

    0

    image avatar

    Tipene Hughes

    Zendesk Developer Advocacy

    Hi Oriol,
     
    Glad to hear you've got it working! Can you let me know the specific app scaffold you're using? Is it just the basic files or the react files? On my end, the script included with the scaffold should be the same as you have, but I'll take a look at the source just to be sure.

    0

    image avatar

    Oriol Pericas

    Hi Tipene, it's the react scaffold. I think this line is the culprit:

    https://github.com/zendesk/app_scaffold/blob/c60b050ec30c6105109d89aab1b5b4b3f0ff39fc/webpack.config.js#L10

    0

    image avatar

    Tipene Hughes

    Zendesk Developer Advocacy

    Awesome, thanks for pointing that out! I'll work with our product team to see if this needs updating.
     
    Thanks again!
     
    Tipene

    0

    Please sign in to leave a comment.

    Didn't find what you're looking for?

    New post