Thanks, @luke! I’ll try to test your suggestions over the weekend. Since I use password protection for project previews, I’d like to avoid basic auth – it’s ugly and doesn’t allow to save the password in a password manager – but I’ll check it out anyway.
The strange thing is, this only happens with the JS file. Images and styles are downloaded correctly. I’ll do more testing and see if it wasn’t caused by type=“module” – I’ve seen some posts saying iOS had a problem with them.
Apart from basic auth, could you recommend any other solution that would allow me to password-protect the site? Could Functions help with that?
It is the module setting, for sure - just debugged this with another customer today.
You just need to not use that feature - normal links work great. This has a bit more detail (it talks about CORS but it’s a similar “safari does this wrong; everyone else does this right” kinda thing):
As to workarounds, you could use XHR type calls and make sure the cookie is set explicitly when you call them, or use Identity, but that isn’t really a drop-in replacement…