Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cookies not sent with request for Web App manifest.json

I am trying to enable PWA on a web site that requires authentication (login tokens managed via Cookies)..

I am trying this out locally (http://localhost:4502) and login (and am issued the login cookie) for the web site.

The problem is when the Web App manifest is requested, no Cookies are sent on the request, so the request is not authenticated.

<link rel="manifest" href="/content/site-x/manifest.json">

As you can see the manifest is served off the the same host/scheme as the web page that includes it.

Do the requests for the the manifest have cookies passed along? I even set my login cookie to be as lax as possible, but nothing. The cookies are sent on all the other requests (JS, CSS, etc.) -- Is there something special about localhost perhaps? Or that its not http?

like image 571
empire29 Avatar asked Aug 10 '18 00:08

empire29


People also ask

What is manifest JSON in website?

The web app manifest is a JSON file that tells the browser about your Progressive Web App and how it should behave when installed on the user's desktop or mobile device.

What is PWA manifest JSON?

The web app manifest is a JSON file that defines how the PWA should be treated as an installed application, including the look and feel and basic behavior within the operating system.

Why manifest JSON is needed?

Using manifest. json , you specify basic metadata about your extension such as the name and version, and can also specify aspects of your extension's functionality (such as background scripts, content scripts, and browser actions).

What does manifest JSON mean?

The manifest. json is a simple JSON file in your website that tells the browser about your website on user's mobile device or desktop. Having a manifest is required by Chrome to show the Add to Home Screen prompt.


1 Answers

According to the https://developers.google.com/web/fundamentals/web-app-manifest/

The request for the manifest is made without any credentials (even if it's on the same domain), thus if the manifest requires credentials, you must include crossorigin="use-credentials" in the manifest tag.

So adding <link rel="manifest" href="/manifest.json" crossorigin="use-credentials"> for both cross domain as adding server cookies in the request for the manifest

like image 162
Stefan van de Vooren Avatar answered Oct 08 '22 19:10

Stefan van de Vooren