fix: Fetch manifest with credentials over CORS

[samvrlewis]

Summary

When behind authentication (for eg: Cloudflare Access), browsers
won't send credentials when fetching the manifest file by default.

To fix, this change adds crossorigin="use-credentials" to the
manifest link tag which allows the browser to attach credentials.
Because of limitations with Vite, for now this needs to happen as
a manual post build step.

Change Type

Please delete any irrelevant options.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update
• Translation update

Testing

Ran npm run frontend and ensured the manifest link in client/dist/index.html had the expected crossorigin attribute.

Test Configuration:

Checklist

Please delete any irrelevant options.

• My code adheres to this project's style guidelines
• I have performed a self-review of my own code
• I have commented in any complex areas of my code

[danny-avila]

@samvrlewis Since the manifest file is generated by vite-plugin-pwa, can you double check there is no option to do this through that library before trying it this way?

I only just thought of this, and looking at it, it may as simple as this:
https://vite-pwa-org.netlify.app/guide/faq.html#web-app-manifest-and-401-status-code-unauthorized

[danny-avila]

Please see: #5156 (comment)

[samvrlewis]

@samvrlewis Since the manifest file is generated by vite-plugin-pwa, can you double check there is no option to do this through that library before trying it this way?

I only just thought of this, and looking at it, it may as simple as this: https://vite-pwa-org.netlify.app/guide/faq.html#web-app-manifest-and-401-status-code-unauthorized

Great spot, I can't believe I missed this. Tested and it seems to work perfectly! Have updated this PR to do it that way.