Webform custom CSS not applied unless ALL anonymous traffic allowed to create submissions

I saw this on SE and have been unable to reproduce it as written. Because you can reproduce the bug on that site, would you add to the issue summary the full steps to reproduce including the CDN setup?

🐛 Webform asset javascript (webform/javascript/webform_id/custom.js) is showing not found Active is perhaps related, although that one is a 404.

For example, I may be unable to reproduce the bug because I am testing as administrator. I did the following:

1. Installed a new Drupal 10 site with Webform 6.2.8.
2. Changed the built-in Contact form to be accessible only to authenticated users.
3. I added some custom CSS.
4. I disabled CSS aggregation, so I could see every file in the dev tools network tab.
5. When viewing the form, the custom CSS file is downloaded and it is a HTTP 200.

I tried to add more information about CDN, but I don't know exactly what's meant by "setup". I'll go ahead and provide the header info.

Server hostname
www.oursite.gov
Remote Client
Remote address
198.248.x.x
Remote hostname
N/A
Remote country code
🇺🇸 US
User agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0
Request
Timestamp
Jan 30, 12:00:57 PM CST
Method
GET
Scheme
https
Server name
www.oursite.gov
Protocol
HTTP/3
Path
/webform/css/community_partner_budget_request/custom.css
URI
/webform/css/community_partner_budget_request/custom.css
Full URL
https://www.oursite.gov/webform/css/community_partner_budget_request/cus...
TLS protocol
TLSv1.3
TLS cipher
TLS_AES_256_GCM_SHA384
Request Headers
Accept
text/css, */*;q=0.1
Accept-Encoding
br
Accept-Language
en-US, en;q=0.9
Asn
2495
Cdn-Loop
Fastly, Fastly, Fastly
Client-Ja3
dd3b06fc126532d749914464b162dea5
Country-Code
US
Fastly-Client
1
Fastly-Client-Ip
198.248.172.2
Fastly-Ff
shtNug6M3Q8p1zl8HcxqZvd1TrCuVsvNDTlUiVeUfsI=!MCI!cache-mci680067-MCI, shtNug6M3Q8p1zl8HcxqZvd1TrCuVsvNDTlUiVeUfsI=!MCI!cache-mci680025-MCI, shtNug6M3Q8p1zl8HcxqZvd1TrCuVsvNDTlUiVeUfsI=!IAD!cache-iad-kiad7000037-IAD
Fastly-Orig-Accept-Encoding
br
Fastly-Request-Id
ec4425ce594349e5197c79a7
Fastly-Ssl
1
Host
www.oursite.gov
Priority
u=0
Proxy-Type
?
Proxy_desc
?
Referer
https://www.oursite.gov/webform/community_partner_budget_request/test
Sec-Ch-Ua
"Not A(Brand";v="8", "Chromium";v="132", "Microsoft Edge";v="132"
Sec-Ch-Ua-Mobile
?0
Sec-Ch-Ua-Platform
"Windows"
Sec-Fetch-Dest
style
Sec-Fetch-Mode
no-cors
Sec-Fetch-Site
same-origin
True-Client-Ip
198.248.x.x
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0
X-Forwarded-For
198.248.x.x, 140.248.x.x
X-Forwarded-Host
www.oursite.gov, www.oursite.gov
X-Forwarded-Server
cache-mci680067-MCI, cache-iad-kiad7000037-IAD
X-Original-Url
/webform/css/community_partner_budget_request/custom.css?sqwxhn&sqwxhn
X-Pass
redacted
X-Sigsci-Edgemodule
vcl 2.7.0
X-Sigsci-Requestid
72ddd02f096749259b3b00000000002e
X-Static-Asset
1
X-Timer
S1738260057.095938, VS0, VS0
X-Varnish
4228963453
X-Waf-Block
0
X-Waf-Block-Id
0
Response
Agent response
200
HTTP response code
403
HTTP response size
67.2KB
Total duration
34 ms
Response Headers
Accept-Ranges
bytes
Cache-Control
must-revalidate, no-cache, private
Connection
keep-alive
Content-Language
en
Content-Length
68790
Content-Type
text/html; charset=UTF-8
Date
Thu, 30 Jan 2025 18:00:57 GMT
Expires
Sun, 19 Nov 1978 05:00:00 GMT
Fastly-Debug-Digest
086eaeafac7087f2cf4efc1ddc4f03eae76eed9253be9387627d7ca797f3158f
Fastly-Debug-Path
(D cache-iad-kiad7000121-IAD 1738260057) (F cache-iad-kiad7000121-IAD 1738260057)
Fastly-Debug-Ttl
(M cache-iad-kiad7000121-IAD - - -)
Fastly-Drupal-Html
YES
Surrogate-Control
must-revalidate, no-cache, private, stale-while-revalidate=14400, stale-if-error=604800
Surrogate-Key
redacted
Via
1.1 varnish
X-Cache
MISS
X-Cache-Hits
0
X-Content-Type-Options
nosniff
X-Drupal-Cache
HIT
X-Frame-Options
SAMEORIGIN
X-Lagoon
amazeeio-us2>ingress-nginx>oursite-main:nginx>nginx-54567467c8-vvthv
X-Served-By
cache-iad-kiad7000121-IAD
X-Timer
S1738260057.095938,VS0,VS0,VS0,VE33
Signals
Allowed Request
Detector: 66840a0f7953bb438c16672f - View rule
HTTP 403 403
Detector: HTTPErrorRule

I may try the patch from the other issue and downgrading to 6.2.2. I'm wondering what changed related to this after 6.2.2.

The issue you linked definitely seems related and the change made appears to be this. https://www.drupal.org/i/3389539 →

Can you tell which commit caused this? You can use git bisect to figure it out.

As to "setup" I mean any guidance on how I could set up a site on my end to exhibit the bug.

I have never used git bisect. I would have to learn how. It looks a bit involved. I have so many commits, I don't know how I would find the one that caused this issue.

git bisect helps you find it. If it's broken now but there is some previous version that worked, it will help you to search for the first commit between the two where it is broken. git bisect will checkout one version after another and you just have to test and tell Git if the current one is good or bad.

See this comment I wrote 🐛 Database serialisation error Active for git bisect instructions.

It's going to be hard to troubleshoot because I never had the issue locally. Only in internet staging and production. I can confirm this when I get an opportunity, but local worked fine for me before I used the patch. I'm not if that's because I have aggregation only in production, or what.

I can reproduce this on a live site:

Webform Access -> Create Submissions: to Authenticated user
I get console errors adding some JS in Settings -> CSS / JS

.../webform/javascript/kg_guest_check/custom.js?sud2oi net::ERR_ABORTED 403 (Forbidden)
Refused to execute script from '.../webform/javascript/kg_guest_check/custom.js?sud2oi' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

If I relax the permissions to:
Webform Access -> Create Submissions: to Anonymous user
No more console errors

Set it back
Webform Access -> Create Submissions: to Authenticated user
sudo -u www-data drush cr
and clear our varnish caches for good measure

Errors are back:

.../webform/javascript/kg_guest_check/custom.js?sud2oi net::ERR_ABORTED 403 (Forbidden)
Refused to execute script from '.../webform/javascript/kg_guest_check/custom.js?sud2oi' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.

I don't recall when - if this ever worked for forms that are not open to anonymous user submissions. I do end up pasting tiny bits of JS into webforms regularly but most webforms are for anonymous users. So I have not run into this previously. If anyone has any suspect/commits that may have caused this - I'd be happy to dig in.

As a workaround - I've pasted my javascript in a markup element with script tags. That does work - it's just I'm going to forget I did that :-)

Update: my partner made some edits to his hosting platform:

"Fixed. The issue is that it's a .js file that isn't being served directly, and normally those are (best) served without any cookie/permissioning, but in this case it needs it."