--cross-origin build option not respected by lazy loader

[jjamid]

🐞 Bug report

Command (mark with an x)

• new
• [x ] build
• serve
• test
• e2e
• generate
• add
• update
• lint
• extract-i18n
• [] run
• config
• help
• version
• doc

Is this a regression?

Yes, the previous version in which this bug was not present was: 12

Description

In Android WebView, the default behavior for type="module" is not to send credentials, even for same origin.
Using the build option --cross-origin=use-credentials solves this problem for the initial scripts by
adding it to the generated scripts.

ng build --configuration=production --cross-origin=use-credentials

However, the lazy loader does not respect this option and only checks the window.location.origin and doesn't add crossOrigin="use-credentials" to the lazy load requests for the same origin.
As a result the module loading fails.

One expects that it will respect the build option --cross-origin=use-credentials

As a work around, I manually change the runtime.js file after build to add the crossOrigin attribute.

🔬 Minimal Reproduction

Running an angular 13 application with lazy loading in an android WebView when cookies are needed for same origin.

🔥 Exception or Error

🌍 Your Environment

Anything else relevant?

[alan-agius4]

Can you please provide the output of ng version?

We do have a test that covers this case:

angular-cli/packages/angular_devkit/build_angular/src/builders/browser/specs/cross-origin_spec.ts

Line 88 in d163229

it('works for lazy chunks', async () => {

[jjamid]

Here is the problematic minified line of code from the build itself inside runtime.js, it only adds crossOrigin when the location.origin is different, and does not respect the build option

0 !== t.src.indexOf(window.location.origin + "/") && (t.crossOrigin = "use-credentials")),

And here is the ng version output

Angular CLI: 13.3.0
Node: 12.22.11
Package Manager: npm 6.14.16
OS: win32 x64

Angular: 13.3.0
... animations, cli, common, compiler, compiler-cli, core, forms
... localize, platform-browser, platform-browser-dynamic, router

Package Version

@angular-devkit/architect 0.1303.0
@angular-devkit/build-angular 13.3.0
@angular-devkit/core 13.3.0
@angular-devkit/schematics 13.3.0
@schematics/angular 13.3.0
ng-packagr 13.3.0
rxjs 6.6.7
typescript 4.6.2

[jjamid]

Can you please provide the output of ng version?

We do have a test that covers this case:

angular-cli/packages/angular_devkit/build_angular/src/builders/browser/specs/cross-origin_spec.ts

Line 88 in d163229

it('works for lazy chunks', async () => {

This test seems wrong. Checking if something contains a text anywhere is hardly a good check.

[alan-agius4]

This is not actionable from our end as that is how Webpack handles crossOrigin. https://github.com/webpack/webpack/blob/c181294865dca01b28e6e316636fef5f2aad4eb6/lib/runtime/LoadScriptRuntimeModule.js#L89-L96

If you feel that this should be handled any different please file an issue with Webpack.

[jjamid]

This is not actionable from our end as that is how Webpack handles crossOrigin. https://github.com/webpack/webpack/blob/c181294865dca01b28e6e316636fef5f2aad4eb6/lib/runtime/LoadScriptRuntimeModule.js#L89-L96

If you feel that this should be handled any different please file an issue with Webpack.
Too bad.

So basically the build option is useless when using lazy loading with Android WebView. Perhaps it should be pointed out somewhere. I will look for another workaround. Maybe even with the Android WebView Team.

Thanks anyway for the quick reply.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}