I am trying to enable PWA on a web site that requires authentication (login tokens managed via Cookies)..

I am trying this out locally (http://localhost:4502) and login (and am issued the login cookie) for the web site.

The problem is when the Web App manifest is requested, no Cookies are sent on the request, so the request is not authenticated.

<link rel="manifest" href="/content/site-x/manifest.json">

As you can see the manifest is served off the the same host/scheme as the web page that includes it.

Do the requests for the the manifest have cookies passed along? I even set my login cookie to be as lax as possible, but nothing. The cookies are sent on all the other requests (JS, CSS, etc.) -- Is there something special about localhost perhaps? Or that its not http?

According to the https://developers.google.com/web/fundamentals/web-app-manifest/

The request for the manifest is made without any credentials (even if it's on the same domain), thus if the manifest requires credentials, you must include crossorigin="use-credentials" in the manifest tag.

So adding <link rel="manifest" href="/manifest.json" crossorigin="use-credentials"> for both cross domain as adding server cookies in the request for the manifest

There seems to be an old a bug in chromium, should have been fixed through all these years. Perhaps you can try using ajax/fetch the "/content/site-x/manifest.json" with requestHeader "Content-type: application/json" and then create a Blob from it and subsequently call createObjectURL(Blob) and give this url to href?

And then also, there is this:

<link rel="manifest" href="/manifest.json" crossorigin="use-credentials">

which I guess in your case would not help since you are on the same origin.