Add crossorigin anonymus to the mix configuration because it's not possible to use with a CDN for all the resources

[dantes4ur]

Telescope Version

5.0.1

Laravel Version

10.48.4

PHP Version

8.2

Database Driver & Version

MySQL 8

Description

Previously, there were no problems of using telescope without this attribute crossorigin="anonymous" on link or script tags. But right now I found a weird problem regarding the script and styles tag if it's consumed from a CDN.

The error:

Subresource Integrity:
The resource 'https://cdn.domain.com/vendor/telescope/styles.css' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has been blocked because the
integrity cannot be enforced.

What I found:
https://stackoverflow.com/questions/35323268/how-to-solve-resource-requires-the-request-to-be-cors-enabled-resource-has-bee

I think that is related with the webpack configuration on the production files in the package.
https://webpack.js.org/configuration/output/

Steps To Reproduce

Upload your assets to CDN (other domain) and then try to load from a https domain (preferably not local) and then you'll see that your telescope page does not render as expected.

[jason-nabooki]

Yeah, we had this issue too but that change has been reverted.

Upgrade to 5.0.3.

[dantes4ur]

Yeah, we had this issue too but that change has been reverted.

Upgrade to 5.0.3.

I did that, but I found the following problems related to Vite:

Illuminate\Foundation\ViteManifestNotFoundException: Vite manifest not found at: .../public/vendor/telescope/manifest.json in .../vendor/laravel/framework/src/Illuminate/Foundation/Vite.php:728

I don't know why it's looking for vite manifest when this is pure webpack.

https://github.com/laravel/framework/blob/57c6f974654867c2f2c9f82e7e2014669b30b4f1/src/Illuminate/Foundation/Vite.php#L743 this is the line causing error 500, I don't know if there's a workaround because I'm not using assets at all, my project is pure API.

One thing It would be nice IMO is that class wouldn't look exactly for public_path, sometimes you deploy all the public assets into a S3 or bucket like distribution and use a full ASSET_URL outside your project, wdyt?

[jason-nabooki]

Not sure. Didn't have any issues upgrading to 5.0.3. Only thing I had to do was invalidate the assets on Cloudfront.

Does your composer.json automatically publish vendor assets on upgrade of package?

Maybe run php artisan telescope:publish

[dantes4ur]

Not sure. Didn't have any issues upgrading to 5.0.3. Only thing I had to do was invalidate the assets on Cloudfront.

Does your composer.json automatically publish vendor assets on upgrade of package?

Maybe run php artisan telescope:publish

I tried that command…

I don’t find the manifest.json file in this version https://github.com/laravel/telescope/releases/tag/v5.0.3 I think that’s where it breaks when you do fresh install

[jason-nabooki]

You won't. 5.0.3 reverted the Vite migration. So it's using only Mix. The manifest is mix-manifest.json.

https://github.com/laravel/telescope/tree/v5.0.3/public

These are the assets that should be published.

[dantes4ur]

You won't. 5.0.3 reverted the Vite migration. So it's using only Mix. The manifest is mix-manifest.json.

https://github.com/laravel/telescope/tree/v5.0.3/public

These are the assets that should be published.

Already got with the problem... a cache thing, doing php artisan optimize:clear && php artisan view:clear and it stops searching for the manifest.json file. Thank you!