Apparently when you declare icons in a PWA manifest, they get fetched without cookies. This is true even if the manifest itself is fetched with crossorigin="use-credentials" (which sends cookies).

Result is for a Dropserver app to be a PWA, it is forced to have some public routes, just to serve these icons.

See screenshot of Leftovers app routes (this is from ds-dev interface). That yellow "public" is so frustrating 😞


Link to SO q:

This stinks. I really want people to have personal web apps with zero public routes.

I hope this can be fixed in standards?

Otherwise I'll have to get crafty and work around it, maybe by declaring a special handler for manifests that rewrites icon urls to some unguessable link that would be served by Dropserver.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!