Remove crossorigin from preload hints for same-origin vendor assets (#304)

jonchurch · web-flow · commit cceab9eb7ca5 · 2025-12-07T17:04:25.000-05:00
* Remove crossorigin from preload hints for same-origin vendor assets

Vendor assets are served from /vendor/... (same origin), so crossorigin
attribute on preload hints causes a credentials mode mismatch. The browser
preloads with anonymous credentials but requests without, resulting in
cache misses and double fetching.

* remove jsdelivr hint, we dont use it at all currently
diff --git a/_headers b/_headers
@@ -64,7 +64,6 @@ csp:
 hints:
   all: [
     '</sw.js>; rel=serviceworker',
-    '<https://cdn.jsdelivr.net/>; rel=preconnect; pr=1.0; crossorigin',
     '<//cdn.carbonads.com/>; rel=dns-prefetch; pr=0.25',
     '<//srv.carbonads.net/>; rel=dns-prefetch; pr=0.25'
   ]
@@ -92,7 +91,7 @@ Add resource hints for site-wide css.
 Add resource hints for site-wide vendor css.
 {% endcomment %}
 {% for res in site.vendor.css %}
-  {% capture hint %}<{{ res.href }}>; rel=preload; as=style; pr=1.0; crossorigin{% endcapture %}
+  {% capture hint %}<{{ res.href }}>; rel=preload; as=style; pr=1.0{% endcapture %}
   {% assign all = all | push:hint %}
 {% endfor %}
 
@@ -103,7 +102,7 @@ Add resource hints for site-wide font faces.
   {% for style in family[1] %}
     {% for href in style[1] %}
       {% if href contains '.woff2' %}
-        {% capture hint %}<{{ href }}>; rel=preload; as=font; pr=1.0; crossorigin{% endcapture %}
+        {% capture hint %}<{{ href }}>; rel=preload; as=font; pr=1.0{% endcapture %}
         {% assign all = all | push:hint %}
       {% endif %}
     {% endfor %}
@@ -146,7 +145,7 @@ Add resource hints for docs js.
 Add resource hints for docs vendor js.
 {% endcomment %}
 {% for res in site.vendor.js %}
-  {% capture hint %}<{{ res.href }}>; rel=preload; as=script; pr=1.0; crossorigin{% endcapture %}
+  {% capture hint %}<{{ res.href }}>; rel=preload; as=script; pr=1.0{% endcapture %}
   {% assign docs = docs | push:hint %}
 {% endfor %}
 
@@ -178,7 +177,7 @@ Add link header for doc pages.
 
 {% for res in site.builds %}
 /docs/{{ res[0] }}*
-  Link: <{{ res[1].href }}>; rel=preload; as=script; pr=1.0; crossorigin
+  Link: <{{ res[1].href }}>; rel=preload; as=script; pr=1.0
 {% endfor %}
 
 {% comment %}
diff --git a/assets/js/boot.js b/assets/js/boot.js
@@ -9,6 +9,10 @@
   function addStyleSheet(res) {
     var link = document.createElement('link')
 
+    // Note: crossOrigin is only needed for cross-origin requests with SRI.
+    // Since vendor assets are now served from same origin (/vendor/...),
+    // this condition won't match and crossOrigin won't be set - which is correct.
+    // If loading from external CDNs again, this enables CORS for SRI verification.
     if (res.integrity &&
         res.href.slice(0, 6) === 'https:') {
       link.crossOrigin = 'anonymous'
