Browsers don't send credentials (Authorization header) when downloading the "manifest.json" file if the "crossorigin" attribute is not set to "use-credentials". This is a problem for sites that use HTTP authentication, because the manifest cannot be downloaded, and Chrome keeps requesting it again and again.
Browsers don't send credentials (Authorization header) when downloading the "manifest.json" file if the "crossorigin" attribute is not set to "use-credentials". This is a problem for sites that use HTTP authentication, because the manifest cannot be downloaded, and Chrome keeps requesting it again and again.
The manifest file is stored on the same site as the "index.html" file, so the origin is the same, yet the crossorigin attribute is needed: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin#example_web_manifest_with_credentials