Lemmy is not installable as PWA anymore

[EchedelleLR]

Issue Summary

Lemmy is not "installable" as PWA anymore.

Steps to Reproduce

1. Open https://lemmy.ml or any other LemmyUI of any instance in Firefox for Android.
2. Check for the install option.
3. See that only "Add to Home screen" is available, as if it was detected as common website.
4. Press it and see that it is indeed opened as a web browser tab.

Technical details

• OS: Android 10.
• Web Browser: Firefox for Android 105.1.0

[zcdunn]

I came to file the same issue. I checked devtools on desktop and found that the web app manifest isn't being loaded.

Content Security Policy: The page’s settings blocked the loading of a resource at https://lemmy.ml/static/assets/manifest.webmanifest (“default-src”).

There also doesn't seem to be a service worker installed, though I can't find any errors related to it. I don't see any request for a service worker in the network logs

[dessalines]

The CSP is most likely the only problem, because nothing else has changed. I'll try to get this in before the next update.

[m-boyd]

I'm still experiencing this issue on Android 13, even after the recent commit. Same steps to reproduce.

[dessalines]

I'm not too great at CSP, could you check to see what the issue is? I've allowed all manifest-src files so I'm not sure what else it could be.

[zcdunn]

I get

Content Security Policy: The page’s settings blocked the loading of a resource at https://lemmy.ml/static/assets/manifest.webmanifest (“default-src”).

on Firefox 109.0. FIrefox doesn't show response headers for that request since it blocked it, but on other requests I can see the CSP header and manifest-src isn't present

content-security-policy: default-src 'none'; connect-src *; img-src * data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; form-action 'self'; base-uri 'self'

[dessalines]

That fix hasn't been deployed yet.