set crossorigin header for manifest. fixes dokuwiki#4322

splitbrain · splitbrain · commit 5ed7bacec486 · 2025-03-15T10:50:27.000+01:00
To summarize the issue:

1. the wiki is protected by Basic auth, outside of the wiki
2. chrome will not pass authentication credentials when accessing a
   linked manifest
3. the webserver will deny access to the manifest

DokuWiki does not care about the auth credentials, because the manifest
returns public info only. The issue is really with the webserver
denying the request.

Using a crossorigin hint will work around the chrome behaviour. The only
potential downside would be that chrome now will send auth credentials
even when there is no web server based auth. Since DokuWiki doesn't care,
it's not really a downside.
diff --git a/inc/template.php b/inc/template.php
@@ -269,7 +269,8 @@ function tpl_metaheaders($alt = true)
     if (actionOK('manifest')) {
         $head['link'][] = [
             'rel' => 'manifest',
-            'href' => DOKU_BASE . 'lib/exe/manifest.php'
+            'href' => DOKU_BASE . 'lib/exe/manifest.php',
+            'crossorigin' => 'use-credentials' // See issue #4322
         ];
     }
 

Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,8 @@ function tpl_metaheaders($alt = true)`
`269`	`269`	`if (actionOK('manifest')) {`
`270`	`270`	`$head['link'][] = [`
`271`	`271`	`'rel' => 'manifest',`
`272`		`- 'href' => DOKU_BASE . 'lib/exe/manifest.php'`
	`272`	`+ 'href' => DOKU_BASE . 'lib/exe/manifest.php',`
	`273`	`+ 'crossorigin' => 'use-credentials' // See issue #4322`
`273`	`274`	`];`
`274`	`275`	`}`
`275`	`276`