Subresource Integrity failures when using ASSET_URL

[mnightingale]

Horizon Version

5.24.3

Laravel Version

10.48.9

PHP Version

8.3.6

Redis Driver

PhpRedis

Redis Version

6.0.2

Database Driver & Version

No response

Description

Related #1421

I have a deployment using a CDN via ASSET_URL=https:://cdn.domain.com but I'm running into CORs issues.

Chrome reports:

Subresource Integrity: The resource 'https://cdn.domain.com/vendor/horizon/styles.css' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has been blocked because the integrity cannot be enforced.

CORs is confusing but I resolve for the main site using AppServiceProvider with the following, but all my customisations via the Vite facade appear to be ignored within horizon including createAssetPathsUsing which I hoped could be an alternative to exclude horizon paths from using the CDN altogether.

Vite::useStyleTagAttributes(['crossorigin' => 'anonymous'])
  ->useScriptTagAttributes(['crossorigin' => 'anonymous'])

I'm not sure how to fix it but it looks like

horizon/resources/views/layout.blade.php

Lines 1 to 21 in bf3c4a8

	@php
	use Illuminate\Support\Facades\Vite;
	use Illuminate\Foundation\Vite as ViteFoundation;
	$nonExistentFileName = '/vendor/horizon/nonExistentFile';
	$vite = new ViteFoundation();
	$vite->useHotFile($nonExistentFileName);
	$viteDataSchemeLight = new ViteFoundation();
	$viteDataSchemeLight->useHotFile($nonExistentFileName);
	$viteDataSchemeLight->useStyleTagAttributes([
	'data-scheme' => 'light',
	]);
	$viteDataSchemeDark = new ViteFoundation();
	$viteDataSchemeDark->useHotFile($nonExistentFileName);
	$viteDataSchemeDark->useStyleTagAttributes([
	'data-scheme' => 'dark',
	]);
	@endphp

may create it's own instance ignoring all customisations, perhaps that should somehow clone and extend the users defaults or at least have a way to apply customisations?

For now I've reverted to 5.24.2 which doesn't have integrity attributes so loads without issue.

Steps To Reproduce

Access assets via a different domain, i.e ASSET_URL=https://cdn.domain.com and try to access the horizon dashboard.

[mnightingale]

Something else I've noticed is vite is configured to not have hashes in filenames,presumably to keep git cleaner but assets will be non-cache-busting.

Not sure if there is a way to get vite to handle it, or createAssetPathsUsing appending Vite::manifestHash() to the query string?

[mmachatschek]

@mnightingale PR#1427 should solve your issue

[hanicab]

I have the same issue, thank you