Angular 8 differential loading failing due to auth issues with dotnet core

Question

I recently updated from Angular 7 to Angular 8 using ng update. After following the expected migration path with no issues I built and deployed. Everything worked great until I started checking other browser versions and realized some were getting 401 unauthorized from the server in requesting the js files.

The issue is, the differential loading is done like this:

<script src="main-es2015.1234.js" type="module"></script>

It seems that some browsers, some of the time, don't want to pass auth info for <script type="module" .... It strikes me that there are several ways to work around this:

• I can work around this by adding crossorigin="use-credentials" to the script tag but I haven't been able to find how to do that in ng build.
• I can tweak the auth settings to somehow allow anonymous requests through to my JS files but I haven't been able to find the dotnet core method of doing this without a lot of complexity. Right now the entire app only allows windows auth. If I allow anonymous I don't want to have to worry somehow that I've left a controller open.

I'm thinking the former option is the cleaner solution but I'm open to alternatives.

Answer 1

Since the posting of the accepted answer the option to handle this in the first way McAden suggests by adding crossorigin="use-credentials" has been added to the Angular CLI options.

Original feature request

Angular CLI documentation

In your angular.json add

{
   ...,
   "build": {
     "builder": ...,
     "options": {
        ...
        "crossOrigin": "use-credentials"
     }
   }
}