The two websites include a javascript on the same origin with an SRI hash, and are almost identical. The only difference is that t0 uses src="/test.js" (leading slash), while t1 other uses src="test.js" (no slash). The latter gets several warnings from Hardenize ("Invalid local SRI CORS configuration", "Invalid remote SRI CORS configuration", "Invalid SRI configuration").
This is probably a bug in Hardenize that somehow interprets the src without the slash as a remote origin. The javascript is fetched from the same origin, therefore no CORS is necessary.
I recently got a warning about SRI/CORS that I believe is a bug in Hardenize.
I have reduced it to a simplified example. Compare these:
The two websites include a javascript on the same origin with an SRI hash, and are almost identical. The only difference is that t0 uses src="/test.js" (leading slash), while t1 other uses src="test.js" (no slash). The latter gets several warnings from Hardenize ("Invalid local SRI CORS configuration", "Invalid remote SRI CORS configuration", "Invalid SRI configuration").
This is probably a bug in Hardenize that somehow interprets the src without the slash as a remote origin. The javascript is fetched from the same origin, therefore no CORS is necessary.