Web app manifest with related_applications and enabled CORS, CORP, COEP (which are required for our web app) throws an error
Web app manifest
...
"related_applications": [
{
"platform": "play",
"url": "xyz",
"id": "xyz"
},
],
"prefer_related_applications": true,
...
Response headers from our server:
Cross-Origin-Opener-Policy: "same-origin"
Cross-Origin-Embedder-Policy: "require-corp"
Cross-Origin-Resource-Policy: "cross-origin"
CSP includes:
...
img-src 'self' https://play-lh.googleusercontent.com
...
Adding https://play-lh.googleusercontent.com to CSP we have mitigated CSP error in our reporting dashboard for CSP (uriports.com).
But another error occurred:
Type: corp
Error: This is a Cross-Origin-Resource-Policy violation. The loaded resource is cross-origin, but that was not allowed by the CORP policy in the header.
Destination: image
Blocked Url: https://play-lh.googleusercontent.com/xyz
When I manually change src of the image in production, in the browser console an error appears:
GET https://play-lh.googleusercontent.com/xyz net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 400 (Bad Request)
On the other hand, if I add <img src="..." crossorigin /> everything works without an issue.
I am not able to set crossorigin to image or correct header to response, which is automatically injected by Google on Android.
Article about installation prompt: https://web.dev/learn/pwa/installation-prompt
What is the best way to show Installation prompt for users if I do not want to get rid of COOP, CORP...?