Skip to content
This repository has been archived by the owner on Jan 18, 2024. It is now read-only.

[pwa-manifest] add crossorigin="use-credentials" attribute #3203

Closed
wants to merge 1 commit into from
Closed

[pwa-manifest] add crossorigin="use-credentials" attribute #3203

wants to merge 1 commit into from

Conversation

simoneb
Copy link

@simoneb simoneb commented Feb 9, 2021
edited
Loading

Why

If the PWA is served with basic authentication, it will result in a 401 when getting the manifest file unless this attribute is included.

How

Add crossorigin="use-credentials" attribute to the element for the manifest file

See explanation here.

Test Plan

Serve the generated PWA with basic auth on and see a 401 being returned without this change.

@simoneb
[pwa-manifest] add crossorigin="use-credentials" attribute
e101c81 
If the PWA is server under basic authentication, it will result in a 401 when getting the manifest file unless this attribute is included.

See explanation [here](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin#example_webmanifest_with_credentials).
@EvanBacon EvanBacon self-requested a review February 9, 2021 19:32
@EvanBacon EvanBacon added the Platform: web Using Expo in the browser label Feb 9, 2021
@EvanBacon
Copy link
Contributor

What are the drawbacks to using this? If it causes breaking changes to existing projects then it might be better to just manually customize the manifest tag.

@simoneb
Copy link
Author

simoneb commented Feb 10, 2021
edited
Loading

What are the drawbacks to using this? If it causes breaking changes to existing projects then it might be better to just manually customize the manifest tag.

Doing manual customization is an option too I guess, but it would require ejecting Web. I have not done it so I'm not sure exactly what that implies.

On your question about what the drawbacks are, there doesn't seem to be any, thought there are many ongoing discussions about why manifest links have the credentials off by default. What we know for sure, which is documented, is that if requesting the manifest file requires credentials that attribute must be there, with that specific value.

I did some research to understand why this behavior of a manifest link not sending credentials by default exists and here's what I found.

This issue describes it quite well. Other <link rel="..."> except manifest send credentials, and the reason is that the intention in the spec was to make it "secure by default" and to match the behavior of fetch. But then, because in fetch this was causing more troubles than not, fetch was changed to send credentials by default, while manifest remained as it was.

Finally, this pull request mentions that enabling it shouldn't make any (negative) difference, and it cites a few sources.

For completeness, create-react-app doesn't include that by default, but on the other hand CRA makes it much easier to customize the index.html file.

To summarize, I believe this change wouldn't have any negative impact, but if you think it may be a possible breaking change I guess we can stick to the option of ejecting Web, but I would prefer to avoid ejecting and just having the ability to customize this.

@simoneb
Copy link
Author

simoneb commented Mar 30, 2021

This doesn't seem to be going forward. Closing

@simoneb simoneb closed this Mar 30, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@EvanBacon EvanBacon Awaiting requested review from EvanBacon

Assignees
No one assigned
Labels
Platform: web Using Expo in the browser
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@simoneb @EvanBacon