Add crossorigin=use-credentials to link[rel=manifest] for sake of Basic Auth #371
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In a support topic, it was revealed that the Web App Manifest fails to load when Basic Auth is being used.
I was able reproduce this with a test plugin:
When loading a page after providing authentication, I got:
When
crossorigin="use-credentials"
was added, however, there was no issue loading the Web App Manifest.This appears to be the the best practice per w3c/manifest#535 (comment). For more context and explanation for why this is needed (but isn't for
link[rel=stylesheet]
, see w3c/manifest#535 (comment).Solution also affirmed in koajs/basic-auth#19 (comment) and https://stackoverflow.com/a/51157352/93579.
If a site doesn't use HTTP Basic Auth, then sending credentials won't make any difference either.