Add crossorigin="use-credentials" to manifest.json and opensearch.xml

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

Requests made to /-/manifest.json and /search/opensearch.xml do not contain cookies, which prevents fetching these files when GitLab is hosted behind an authentication proxy. To solve these issues, please update GitLab to support crossorigin="use-credentials" for requests to these locations.

Example

<link href="/-/manifest.json" rel="manifest" crossorigin="use-credentials">
<link href="/search/opensearch.xml" rel="search" title="Search GitLab" type="application/opensearchdescription+xml" crossorigin="use-credentials">

References

https://web.dev/articles/add-manifest
https://stackoverflow.com/questions/51777346/cookies-not-sent-with-request-for-web-app-manifest-json
https://github.com/home-assistant/frontend/issues/940

Edited Aug 11, 2025 by 🤖 GitLab Bot 🤖