set crossorigin header for manifest. fixes #4322

To summarize the issue:

1. the wiki is protected by Basic auth, outside of the wiki
2. chrome will not pass authentication credentials when accessing a
   linked manifest
3. the webserver will deny access to the manifest

DokuWiki does not care about the auth credentials, because the manifest
returns public info only. The issue is really with the webserver
denying the request.

Using a crossorigin hint will work around the chrome behaviour. The only
potential downside would be that chrome now will send auth credentials
even when there is no web server based auth. Since DokuWiki doesn't care,
it's not really a downside.

1 files changed, 2 insertions, 1 deletions

diff --git a/inc/template.php b/inc/template.php
index 7cf303aae..db524c986 100644
--- a/inc/template.php
+++ b/inc/template.php
@@ -269,7 +269,8 @@ function tpl_metaheaders($alt = true)
     if (actionOK('manifest')) {
         $head['link'][] = [
             'rel' => 'manifest',
-            'href' => DOKU_BASE . 'lib/exe/manifest.php'
+            'href' => DOKU_BASE . 'lib/exe/manifest.php',
+            'crossorigin' => 'use-credentials' // See issue #4322
         ];
     }