Apparently when you declare icons in a PWA manifest, they get fetched without cookies. This is true even if the manifest itself is fetched with crossorigin="use-credentials" (which sends cookies).
Result is for a Dropserver app to be a PWA, it is forced to have some public routes, just to serve these icons.
See screenshot of Leftovers app routes (this is from ds-dev interface). That yellow "public" is so frustrating 😞
add this to the pile of problems that didn't exist before people decided to start trying to use web browsers for every single thing
@teleclimber until they start doing the same thing to the web since chrome controls 70% of the market with safari taking most of the rest
the web is not really open anymore in the way it was 10 years ago, stop enabling our corporate oppressors to continue doing what they're doing by working in the margins of what they haven't asserted their influence as strongly yet