-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add crossorigin=use-credentials to link[rel=manifest] for sake of Basic Auth #371
base: develop
Are you sure you want to change the base?
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #371 +/- ##
==========================================
Coverage 24.28% 24.28%
Complexity 364 364
==========================================
Files 55 55
Lines 1865 1865
==========================================
Hits 453 453
Misses 1412 1412
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
Actually, using a service worker on a site with Basic Auth is currently broken. So fixing this one issue with the Web App Manifest doesn't have much value at all, since as soon as the service worker is installed and the auth expires, then users will get a 401 error responses without any auth prompt. For more details, see GoogleChrome/workbox#2515. This is not an issue with Workbox but rather a platform issue in Chrome and other browsers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great!
8b8e0ad
to
8fc13e5
Compare
Build for testing: pwa.zip |
8fc13e5
to
7170ba4
Compare
In a support topic, it was revealed that the Web App Manifest fails to load when Basic Auth is being used.
I was able reproduce this with a test plugin:
When loading a page after providing authentication, I got:
When
crossorigin="use-credentials"
was added, however, there was no issue loading the Web App Manifest.This appears to be the the best practice per w3c/manifest#535 (comment). For more context and explanation for why this is needed (but isn't for
link[rel=stylesheet]
, see w3c/manifest#535 (comment).Solution also affirmed in koajs/basic-auth#19 (comment) and https://stackoverflow.com/a/51157352/93579.
If a site doesn't use HTTP Basic Auth, then sending credentials won't make any difference either.