Closed abdonrd closed 5 years ago
These are known issues, but not sure how to fix them. Fortunately, looking at the network timeline, subsequent requests for these resources seem to hit the cache so these warnings shouldn't actually be causing network performance impacts. Will keep this tracking issue open.
Corrections (crossed out below): crossorigin
attribute can be present on regular scripts as well; just need to change @polymer/esm-amd-loader
so that it loads modules with the same value of crossorigin
.
I did some testing and it seems like adding crossorigin=anonymous;
to the Link: rel=preload
headers for module (ESM) scripts and the corresponding <script type="module" crossorigin="anonymous">
to index.html will remove the warning/duplicate entry in the network timeline. ~However, crossorigin=anonymous;
(and the corresponding <script crossorigin="anonymous">
in index.html) must not be present for regular scripts (e.g. es5/es6 builds, webcomponents-loader.js)~. So basically we want this for esm-bundled
:
Link: </src/components/my-app.js>; rel=preload; as=script; crossorigin=anonymous
Link: </src/components/my-view1.js>; rel=preload; as=script; crossorigin=anonymous
Link: </node_modules/@webcomponents/webcomponentsjs/webcomponents-loader.js>; rel=preload; as=script
...
<script type="module" crossorigin="anonymous">
And this for the other builds:
Link: </src/components/my-app.js>; rel=preload; as=script
Link: </src/components/my-view1.js>; rel=preload; as=script
Link: </node_modules/@webcomponents/webcomponentsjs/webcomponents-loader.js>; rel=preload; as=script
...
<script>
To fix this, we could (but not limited to):
a) Add a feature to prpl-server to add crossorigin=anonymous
for all module scripts. Unfortunately, we can't just rely on "browserCapabilities": ["modules"]"
and "js": { "transformModulesToAmd": true }
in polymer.json since it's possible for someone to write regular (non-module) script, not use these options, and still end up with valid script.
b) Add a specification for crossorigin=anonymous
to push-manifest.json and have prpl-server use it. Right now we use the same push-manifest.json across all builds.
~In addition, the transformModulesToAmd
transformation must remove the <script crossorigin="anonymous">
attribute in index.html.~
Also, I'm pretty sure using crossorigin=anonymous
will break the scripts-behind-authentication use case (ref https://github.com/Polymer/pwa-starter-kit/issues/89). Might want to preserve both the crossorigin=anonymous
and crossorigin=use-credentials
use cases.
Yeah I think we should add a specification for crossorigin
to push-manifest.json
and have prpl-server
to use it. There is already an issue filed for that: https://github.com/Polymer/prpl-server/issues/81
In addition prpl-server
should only add the crossorigin
to link headers if browserCapabilities
contains modules
.
cc @aomarks
Here's my proposed approach to fixing this issue:
@polymer/esm-amd-loader
so that it loads AMD modules with the same crossorigin attribute as document.currentScript
. That is, if I have <script crossorigin="use-credentials">define(['src/components/my-app.js']);</script>
, then that module (and all transitive modules it loads) will load with <script crossorigin="use-credentials">
. Fixed in https://github.com/Polymer/tools/pull/801"crossorigin"
setting to push-manifest.json and make prpl-server use this in link headers. Developers will be required to update push-manifest.json so that each resource matches the way it's loaded in HTML. Fixed in https://github.com/Polymer/prpl-server/pull/85Unlike the approach I described above, this approach allows any resource (including images, videos, non-module scripts) to use the crossorigin
attribute. It also allows choosing between anonymous
and use-credentials
depending on the use case.
Preview of changes needed in pwa-starter-kit in the crossorigin
branch
咋回事啊
This was fixed by #288 - see merged PR referenced above.
There are a few warnings about crossorigin and preloaded.