From ea0469e61ae20be5020cae6aadab678fb2bde8bd Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Tue, 7 Nov 2023 14:33:37 +0000
Subject: [PATCH] PWA: Prevent passing credentials to avoid redirection issues

For #4649
More of a patch around the issue for now.
Have opened #4656 to properly address.
---
 app/App/PwaManifestBuilder.php         | 5 +++++
 resources/views/layouts/base.blade.php | 2 +-
 tests/PwaManifestTest.php              | 4 +---
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/app/App/PwaManifestBuilder.php b/app/App/PwaManifestBuilder.php
index 4902d354d..ba4331a0f 100644
--- a/app/App/PwaManifestBuilder.php
+++ b/app/App/PwaManifestBuilder.php
@@ -6,6 +6,11 @@ class PwaManifestBuilder
 {
     public function build(): array
     {
+        // Note, while we attempt to use the user's preference here, the request to the manifest
+        // does not start a session, so we won't have current user context.
+        // This was attempted but removed since manifest calls could affect user session
+        // history tracking and back redirection.
+        // Context: https://github.com/BookStackApp/BookStack/issues/4649
         $darkMode = (bool) setting()->getForCurrentUser('dark-mode-enabled');
         $appName = setting('app-name');
 
diff --git a/resources/views/layouts/base.blade.php b/resources/views/layouts/base.blade.php
index 4acabbcac..cf15e5426 100644
--- a/resources/views/layouts/base.blade.php
+++ b/resources/views/layouts/base.blade.php
@@ -29,7 +29,7 @@
     <link rel="icon" type="image/png" sizes="32x32" href="{{ setting('app-icon-32') ?: url('/icon-32.png') }}">
 
     <!-- PWA -->
-    <link rel="manifest" href="{{ url('/manifest.json') }}" crossorigin="use-credentials">
+    <link rel="manifest" href="{{ url('/manifest.json') }}">
     <meta name="mobile-web-app-capable" content="yes">
 
     @yield('head')
diff --git a/tests/PwaManifestTest.php b/tests/PwaManifestTest.php
index ad9479048..c66f8b360 100644
--- a/tests/PwaManifestTest.php
+++ b/tests/PwaManifestTest.php
@@ -24,9 +24,7 @@ class PwaManifestTest extends TestCase
     {
         $html = $this->asViewer()->withHtml($this->get('/'));
 
-        // crossorigin attribute is required to send cookies with the manifest,
-        // so it can react correctly to user preferences (dark/light mode).
-        $html->assertElementExists('head link[rel="manifest"][href$="manifest.json"][crossorigin="use-credentials"]');
+        $html->assertElementExists('head link[rel="manifest"][href$="manifest.json"]');
         $html->assertElementExists('head meta[name="mobile-web-app-capable"][content="yes"]');
     }