Pass credentials on navigator.serviceWorker.register("/service_worker.js");

[SystemR]

There doesn't seem to be a way to pass credentials when calling register() in the standard: https://www.w3.org/TR/service-workers-1/#dom-serviceworker-scripturl

As per this doc:
https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17360912/

Service Worker: Credentials are not sent during registration
Author: Yannick S.
Created: May 3, 2018

When registering a service worker with navigator.serviceWorker.register('service-worker.js') in an authenticated scenario, the request to fetch the service worker omits the Authorization header with the credentials, resulting in a 401 error. (Other browsers send credentials when fetching service workers.) The promise returned by register is rejected with TypeError: invalid argument.

I don't see the Authorization header in the request when navigator fetches service-worker.js in current browser implementations.

There should be an option to use credentials like in <links>: <link crossorigin="use-credentials">

[jakearchibald]

Which browsers are missing credentials? The spec says the request should be made with "same-origin" credentials, same as new Worker(url).

[SystemR]

It is same origin but for my case there's a load balancer with auth that looks for credential cookie.

Previously my fetch to manifest <link rel="manifest" href="manifest.json" /> doesn't have this credential cookie either (and I think there was a pre-flight OPTIONS?).

Since there's no credential cookie my LB responds with text/html error page and the fetch fails (Chrome also does CORB for text/html mime). To get around it I specified crossorigin="use-credentials" and I can see in the network tab that <link rel="manifest" crossorigin="use-credentials" href="manifest.json" /> now includes the cookie and the call can go through.

Now I'm hitting the same roadblock with navigator.serviceWorker.register("/service_worker.js"); and the request just stays at Pending. I believe this is also the same issue with edge in this link https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17360912/, except theirs look for Authorization header.

BTW a day later I'm now seeing Chrome not showing the service_worker.js call in the network tab but see a failed install in the Application tab and Service worker does not have the 'fetch' handler warning. Chrome Canary still shows the service_worker.js request.

[SystemR]

After playing around with my server config I think it does pass credentials. On the server side I also had to make sure it returns the right mime type to avoid CORB. Thank you @jakearchibald.