Set crossorigin to utilize credentials for fetching manifest.json

[mzalgaonker]

⚠️⚠️⚠️ Since we do not accept all types of pull requests and do not want to waste your time. Please be sure that you have read pull request rules:
https://github.com/louislam/uptime-kuma/blob/master/CONTRIBUTING.md#can-i-create-a-pull-request-for-uptime-kuma

Tick the checkbox if you understand [x]:

• I have read and understand the pull request rules.

Description

When using UptimeKuma behind an authentication gateway (in my case, Envoy Gateway), the application makes a request to get manifest.json, which gets denied by CORS since the request goes through the Gateway unauthenticated.

Setting crossorigin on the manifest.json request will make the request with user credentials, therefore the request will be allowed through the Gateway

Fixes #(issue)

Access to manifest at 'https://<REDACTED>manifest.json' (redirected from 'https://<REDACTED>/manifest.json') from origin 'https://<REDACTED>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Type of change

Please delete any options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)

Checklist

• My code follows the style guidelines of this project
• I ran ESLint and other linters for modified files
• I have performed a self-review of my own code and tested it
• I have commented my code, particularly in hard-to-understand areas (including JSDoc for methods)
• My changes generates no new warnings
• My code needed automated testing. I have added them (this is optional task)

Screenshots (if any)

Please do not use any external image service. Instead, just paste in or drag and drop the image here, and it will be uploaded automatically.

[CommanderStorm]

I don't think this is the proper fix. Credentials should not be required for said path on our end.

What Access-Control-Allow-Origin header have you configured in your reverse proxy?
How are you configuring this?
The reverse proxy should not check CORS, only the browser should. Since there that is not cross-origin, that should be fine. Am I missing something?

[mzalgaonker]

@CommanderStorm I think my use case was a bit unclear
I am using OIDC authentication in front of uptimekuma, so it works like this:

1. User requests access to uptimekuma
2. Gateway checks if user is authenticated. If not, redirect to auth portal (keycloak in my case)
3. After authentication, user can access uptimekuma
4. uptimekuma makes a request for manifest.json
5. This request to manifest.json does not pass the Gateway authentication since credentials are not passed with the request
6. Observe CORS error in console, which is a bit misleading. The request would be successful with authentication, but it shows up as a CORS error because its getting redirected to the domain of my authentication portal

I believe this is the same issue highlighted here

[CommanderStorm]

Why do you want the manifest to be behind the reverse proxy?

From my point of view this is not a bug with us, but rather with how you scope what should be included in and excluded from SSO.

Since there is no need (we don't afaik check credentials there) for credentials on that route from our side, I don't like adding them.