Add crossorigin=use-credentials to link[rel=manifest] for sake of Basic Auth

[westonruter]

In a support topic, it was revealed that the Web App Manifest fails to load when Basic Auth is being used.

I was able reproduce this with a test plugin:

<?php
/**
 * Plugin Name: Basic Auth
 */


if ( is_admin() || 'cli' === php_sapi_name() ) {
	return;
}

if (
	! isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] )
	||
	'admin' !== $_SERVER['PHP_AUTH_USER']
	||
	'password' !== $_SERVER['PHP_AUTH_PW']
) {
	status_header( 401 );
	header( 'WWW-Authenticate: Basic realm="My Realm"' );
	echo "Authorization required";
	exit;
}

When loading a page after providing authentication, I got:

When crossorigin="use-credentials" was added, however, there was no issue loading the Web App Manifest.

This appears to be the the best practice per w3c/manifest#535 (comment). For more context and explanation for why this is needed (but isn't for link[rel=stylesheet], see w3c/manifest#535 (comment).

Solution also affirmed in koajs/basic-auth#19 (comment) and https://stackoverflow.com/a/51157352/93579.

If a site doesn't use HTTP Basic Auth, then sending credentials won't make any difference either.

[codecov-io]

Codecov Report

Merging #371 (8b8e0ad) into develop (6c3500f) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             develop     #371   +/-   ##
==========================================
  Coverage      24.28%   24.28%           
  Complexity       364      364           
==========================================
  Files             55       55           
  Lines           1865     1865           
==========================================
  Hits             453      453           
  Misses          1412     1412           

Flag	Coverage Δ	Complexity Δ
php	24.28% <ø> (ø)	0.00 <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ	Complexity Δ
wp-includes/class-wp-web-app-manifest.php	53.27% <ø> (ø)	32.00 <0.00> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6c3500f...8b8e0ad. Read the comment docs.

[westonruter]

Actually, using a service worker on a site with Basic Auth is currently broken. So fixing this one issue with the Web App Manifest doesn't have much value at all, since as soon as the service worker is installed and the auth expires, then users will get a 401 error responses without any auth prompt. For more details, see GoogleChrome/workbox#2515. This is not an issue with Workbox but rather a platform issue in Chrome and other browsers.

[felixarntz]

Great!

[westonruter]

Build for testing: pwa.zip