fetched icons fail in chrome when same-origin policy is present

[elandorr]

I read #535, but that is only about the manifest itself.

With a same-origin CORP chrome devtools complains 'icon n failed to load'.

Their logger says:

t=1199 [st= 1]       +HTTP_TRANSACTION_SEND_REQUEST  [dt=0]
t=1199 [st= 1]          HTTP_TRANSACTION_HTTP2_SEND_REQUEST_HEADERS
                        --> :method: GET
                            :authority: foo.bar
                            :scheme: https
                            :path: /icons/512x512.png
                            ...
                            sec-fetch-site: cross-site
                            sec-fetch-mode: no-cors
                            sec-fetch-dest: image

even though a crossorigin attribute on the link to the manifest is given.

It should say sec-fetch-site: same-origin. If I turn off same-origin altogether, it works as expected.

Is this a bug in chrome, or am I missing something from the spec?

Firefox does not have this issue, their devtools show the images just fine. On Android a Chrome based fork I tried with also allows 'adding to homescreen' and shows an image. It's unclear whether that's just an upscaled favicon, though.

Cheers

[marcoscaceres]

I think the spec is correct here and I think Chrome might be working as expected. However, someone might need to check one the Chrome side.

[dmurph]

I don't think I fully understand what is going on here, sorry. Do you have a demo page that we could look at?

[elandorr]

This has been a while ago, so no demo page that could be shared, but here's a screenshot in case it was unclear where:

In Firefox it works, in Chrome it doesn't. There's nothing special about this setup. I tracked it down to the same-origin last year, nothing changed.