Re: [w3c/manifest] Is it possible to load the progressive web app manifest file from authenticated site? (#535) from Matt Giuca on 2018-11-05 (public-webapps-github@w3.org from November 2018)

From: Matt Giuca <notifications@github.com>
Date: Sun, 04 Nov 2018 18:27:31 -0800
To: w3c/manifest <manifest@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/manifest/issues/535/435736742@github.com>

My reading of the spec is that by default, a `<link>` should make a non-CORS reqest including credentials.

>From my reading of the [HTML spec](https://html.spec.whatwg.org/#obtaining-a-resource-from-a-link-element), I compiled [this table](https://docs.google.com/spreadsheets/d/1nge9Sblkgl0dqj4eA1T1lJI6-u1gHyjhJLpMgODGrTI/edit).

In summary:

- The default behaviour should be a non-CORS request with credentials.
- `crossOrigin="anonymous"` should make a CORS request without credentials unless the request goes to the same origin.
- `crossOrigin="use-credentials"` should make a CORS request with credentials.

In all cases, you should get credentials if the request goes to the same origin.

I'm not quite sure what a "non-CORS" request is in this default case. It looks fairly restricted.

So this could indeed be a Chrome bug if we aren't passing the credentials along.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/manifest/issues/535#issuecomment-435736742

Received on Monday, 5 November 2018 02:27:52 UTC