You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The theme partial that renders the site <head> is internally inconsistent about Subresource Integrity (SRI) and CORS: the local stylesheet <link> tag has an integrity attribute but no crossorigin attribute, while the third-party <script> tags in the same partial have both integrity and crossorigin="anonymous".
Per the SRI spec, when integrity is present and the request is not in cors mode, the response is opaque and the integrity check fails by definition — even when the bytes match. Today this is latent because PR #93 makes the staging stylesheet same-origin via a baseURL override at deploy time, so SRI works without crossorigin. The bug will resurface for any future scenario that serves the stylesheet cross-origin (CDN, asset host, alternate environment).
Chromium-family browsers have historically been more permissive than Firefox here. "Looks fine in Chrome" is not evidence the markup is correct.
Lines 14–17 of the same partial load other stylesheets (Google Fonts, Typekit, Cooper Hewitt fonts, Font Awesome) without any integrity attribute, so they are not affected by this issue and should not be changed as part of it.
Files / Symbols
themes/openemr/layouts/partials/header.html:20 — the affected <link rel="stylesheet">. Currently:
themes/openemr/layouts/partials/header.html:37–40 — reference for the existing integrity + crossorigin="anonymous" pattern used on <script> tags. Match that style.
Reproduction
To confirm the fix end-to-end, the change must be exercised in a cross-origin configuration. The current GitHub Pages staging build is same-origin (post-PR #93), so it will not exercise the bug. Either:
Build locally with hugo --baseURL https://example.invalid/ and serve the resulting public/ from a different origin than the asset path the stylesheet ends up referencing, then load in Firefox and verify the page is styled and the browser console shows no SRI error; or
Once the change is in, verify against any future cross-origin asset configuration.
Approach
Add crossorigin="anonymous" to the <link rel="stylesheet"> at themes/openemr/layouts/partials/header.html:20.
Verify the same-origin staging deploy still works (regression check) — load https://openemr.github.io/website-openemr/ in Firefox after the change merges and a deploy completes; confirm the page is styled.
No other <link> tags in this partial carry an integrity attribute, so no other lines need changing.
Definition of done
themes/openemr/layouts/partials/header.html:20 includes crossorigin="anonymous" alongside integrity.
Problem
The theme partial that renders the site
<head>is internally inconsistent about Subresource Integrity (SRI) and CORS: the local stylesheet<link>tag has anintegrityattribute but nocrossoriginattribute, while the third-party<script>tags in the same partial have bothintegrityandcrossorigin="anonymous".Per the SRI spec, when
integrityis present and the request is not incorsmode, the response is opaque and the integrity check fails by definition — even when the bytes match. Today this is latent because PR #93 makes the staging stylesheet same-origin via a baseURL override at deploy time, so SRI works withoutcrossorigin. The bug will resurface for any future scenario that serves the stylesheet cross-origin (CDN, asset host, alternate environment).Background
integrityattribute, so they are not affected by this issue and should not be changed as part of it.Files / Symbols
themes/openemr/layouts/partials/header.html:20— the affected<link rel="stylesheet">. Currently:themes/openemr/layouts/partials/header.html:37–40— reference for the existingintegrity+crossorigin="anonymous"pattern used on<script>tags. Match that style.Reproduction
To confirm the fix end-to-end, the change must be exercised in a cross-origin configuration. The current GitHub Pages staging build is same-origin (post-PR #93), so it will not exercise the bug. Either:
hugo --baseURL https://example.invalid/and serve the resultingpublic/from a different origin than the asset path the stylesheet ends up referencing, then load in Firefox and verify the page is styled and the browser console shows no SRI error; orApproach
crossorigin="anonymous"to the<link rel="stylesheet">atthemes/openemr/layouts/partials/header.html:20.<link>tags in this partial carry anintegrityattribute, so no other lines need changing.Definition of done
themes/openemr/layouts/partials/header.html:20includescrossorigin="anonymous"alongsideintegrity.<link integrity=...>tags introduced without a matchingcrossoriginattribute.Out of scope
integrityto the CDN-loaded stylesheets at lines 14–17 — those have no SRI today and adding it is a separate decision.