SRI/CORS header Access-Control-Allow-Origin missing

[ilyalyo]

In some cases it is imposiible to add crossorigin&integrity atribute becouse header Access-Control-Allow-Origin not provided, for example here:
https://www.statcounter.com/counter/counter.js
Should we make a request for each external link and check header?

@fulldecent

[fulldecent]

Sorry, I don't understand. What happens if you try to access stat counter with CORS?

[ilyalyo]

Resource will be blocked and you will have such error:
Access to Script at 'https://www.statcounter.com/counter/counter.js' from origin 'http://127.0.0.1:4000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:4000' is therefore not allowed access.

[fulldecent]

Is that behavior different than if we host the file from http://127.0.0.1:4000 and do NOT have integrity="***" crossorigin="anonymous"?

[ilyalyo]

Yes it's different, if we have local file we doesn't check for sri/cors
We have 3 cases:

1. Local file - doesn't need sri/cors
2. Exteranl file with proper Access-Control-Allow-Origin header - needs sri/cors
3. External file without proper Access-Control-Allow-Origin header - don't need sri/cors (with it it will be blocked and will not be loaded)

Now we don't check for headers, thats why we can have error in htmlproofer that sri/cors not provided for external link, but it's not possible to fix it, becouse we can not change headers in external resource.

[gjtorikian]

Uncertain if this is still an issue, original PR was closed