Skip to content

Send credentials when fetching the web app manifest (crossorigin="use-credentials")#4302

Open
m0sth8 wants to merge 1 commit into
umami-software:masterfrom
m0sth8:manifest-crossorigin-use-credentials
Open

Send credentials when fetching the web app manifest (crossorigin="use-credentials")#4302
m0sth8 wants to merge 1 commit into
umami-software:masterfrom
m0sth8:manifest-crossorigin-use-credentials

Conversation

@m0sth8

@m0sth8 m0sth8 commented May 27, 2026
edited
Loading

Copy link
Copy Markdown

What

Add crossOrigin="use-credentials" to the web app manifest <link> so the browser sends cookies when fetching /site.webmanifest.

Why

We run Umami as an internal-only service behind an AWS ALB with OIDC authentication (authenticate on unauthenticated requests). Everything works except the manifest.

Browsers fetch the web app manifest without credentials by default, unless the link tag opts in with crossorigin="use-credentials" (crossOrigin in JSX). So the manifest request arrives at our auth proxy with no session cookie, the proxy treats it as logged-out and 302-redirects it to the identity provider, and the browser then blocks the cross-origin redirect against Umami's own CSP (default-src 'self'):

Loading a manifest from 'https://accounts.google.com/o/oauth2/v2/auth?...'
violates the following Content Security Policy directive: "default-src 'self'".

The dashboard itself is fine — this is just the manifest failing to load on every page — but it's a console error on every authenticated deployment behind a cookie-based auth proxy (OAuth2 Proxy, Cloudflare Access, ALB OIDC, Authelia, etc.).

use-credentials makes the browser include cookies, the proxy sees the session, and the manifest loads same-origin. It's a no-op for installs without an auth proxy.

Prior art

The same one-line fix has been adopted by other self-hosted projects that hit this behind auth proxies:

Fix

-        <link rel="manifest" href="/site.webmanifest" />
+        <link rel="manifest" href="/site.webmanifest" crossOrigin="use-credentials" />

@vercel

vercel Bot commented May 27, 2026

Copy link
Copy Markdown

@m0sth8 is attempting to deploy a commit to the Umami Software Team on Vercel.

A member of the Team first needs to authorize it.

@greptile-apps

greptile-apps Bot commented May 27, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds crossorigin="use-credentials" to the <link rel="manifest"> tag so browsers include session cookies when fetching /site.webmanifest, fixing a CSP violation that occurs when Umami is deployed behind cookie-based auth proxies (AWS ALB OIDC, OAuth2 Proxy, Cloudflare Access, etc.).

  • One-character change in src/app/layout.tsx: adds the crossorigin attribute to the manifest link so auth proxies receive the session cookie and serve the manifest correctly instead of redirecting to an identity provider.
  • The attribute is spelled crossorigin (lowercase HTML form) rather than crossOrigin (the correct camelCase JSX prop name), which may produce a TypeScript compile error and should be corrected.

Confidence Score: 4/5

The fix is conceptually correct — adding credentials to the manifest fetch resolves the auth proxy CSP issue — but the attribute casing needs to be corrected before merging to avoid a potential build failure.

The only change is a single JSX attribute on the manifest link. The credential-inclusion behaviour is correct and safe for same-origin deployments. The issue is that crossorigin (lowercase) is not the recognised React/JSX spelling; crossOrigin (camelCase) is what LinkHTMLAttributes declares, so the build may fail on type-checking. Fixing the casing to crossOrigin makes this a clean, safe change.

src/app/layout.tsx — attribute casing needs to change from crossorigin to crossOrigin.

Important Files Changed

Filename Overview
src/app/layout.tsx Adds crossorigin="use-credentials" to the manifest link; the intent is correct but uses the lowercase HTML spelling instead of the camelCase JSX prop crossOrigin, which may cause a TypeScript compile error.

Sequence Diagram

sequenceDiagram
    participant Browser
    participant AuthProxy as Auth Proxy (ALB/OAuth2)
    participant Umami

    Note over Browser,Umami: Before this PR (no credentials on manifest fetch)
    Browser->>AuthProxy: GET /site.webmanifest (no cookies)
    AuthProxy->>Browser: 302 → identity provider (e.g. accounts.google.com)
    Browser--xBrowser: CSP blocks cross-origin redirect

    Note over Browser,Umami: After this PR (crossOrigin="use-credentials")
    Browser->>AuthProxy: GET /site.webmanifest + session cookie
    AuthProxy->>Umami: Forwards authenticated request
    Umami->>Browser: 200 site.webmanifest
Loading

Reviews (1): Last reviewed commit: "Send credentials when fetching the web a..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed May 27, 2026
View reviewed changes
Comment thread src/app/layout.tsx Outdated
<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
<link rel="manifest" href="/site.webmanifest" />
<link rel="manifest" href="/site.webmanifest" crossorigin="use-credentials" />

@greptile-apps greptile-apps Bot May 27, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 The JSX prop should be crossOrigin (camelCase), not crossorigin (lowercase). React's TypeScript definitions (LinkHTMLAttributes) declare crossOrigin, so the lowercase spelling is an unknown property that will likely produce a TypeScript compile error. At runtime React may pass it through, but the camelCase form is the correct idiomatic JSX spelling and avoids any type-checking failure.

Suggested change
<link rel="manifest" href="/site.webmanifest" crossorigin="use-credentials" />
<link rel="manifest" href="/site.webmanifest" crossOrigin="use-credentials" />

@m0sth8
Send credentials when fetching the web app manifest
196bdc0 
Add crossOrigin="use-credentials" so the browser includes cookies
when fetching /site.webmanifest. Without it the manifest request is
sent unauthenticated and gets redirected to the login page by
cookie-based auth proxies (ALB OIDC, OAuth2 Proxy, Cloudflare
Access), which the browser then blocks against the app's own CSP.
@m0sth8 m0sth8 force-pushed the manifest-crossorigin-use-credentials branch from 2c2a322 to 196bdc0 Compare May 28, 2026 03:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@m0sth8