Default CORS behavior when using manifest vs RemoteEntry.js

[m-arav]

Hi,

Noticed that when using RemoteEntry.js requests are made in no-cors mode

sec-fetch-dest: script
sec-fetch-mode: no-cors
sec-fetch-site: cross-site

but when mf-manifest.json is used the requests are made in cors mode to obtain the resource.

sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site

Is there a way to control this with a user supplied config?

Scenario

Developing on a host locally and the remotes are hosted on a CDN. Some of our remotes are using RemoteEntry.js and the new remotes are using mf-manifest.json. In this case the requests for mf-manifest.json from localhost to the CDN gets blocked because of CORS policy but the requests for RemoteEntry.js goes through. I have less control on setting the CDN response headers (Access-Control-Allow-Origin: *) so was checking to see if there was any way to control this behavior?

[ScriptedAlchemy]

Provide repo

[m-arav]

Okay, I'll setup a example host and setup the sample remotes on some CDN, current repo cannot be shared.

It is a very straightforward setup though. Can be replicated by this config in webpack.config.js

new ModuleFederationPlugin({
      name: 'webpack',
      remotes: {
        nocors: 'remote@https://example.cdn.io/remoteEntry.js',
        cors: 'manifest@https://example.cdn.io/mf-manifest.json',
      },
      shared: {
        ...deps,
        react: {
          singleton: true,
        },
        'react-dom': {
          singleton: true,
        },
      },
    }),

[ScriptedAlchemy]

That's because it's fetch() like an api call. Scripts don't use fetch.

Can you try just fetching it manually in your user code and see if you are able to fetch() the json successfully yourself. Then we would know what to do.
Scripts behave differently than fetch calls