Summary
Expose the engine's new global withCredentials flag as a project setting, so projects can load assets from an authenticated cross-origin host (CDN/storage that requires cookies, client TLS certificates or HTTP auth) without hand-editing the generated bootstrap.
Engine support: playcanvas/engine#8983 (closes playcanvas/engine#1649).
Background
The engine now has a single, global opt-in:
ResourceLoader.withCredentials (boolean, default false) — forwards to the shared HTTP layer and applies to all XHR-based asset loads (textures, models, audio, JSON, fonts, …).
AppBase._parseApplicationProperties reads application_properties.withCredentials and applies it during configure() before preload(), so preloaded assets pick it up automatically — exactly the same path already used by maxAssetRetries and maxConcurrentRequests.
So the editor side only needs to surface a setting and make sure it lands in the published config.json under application_properties.
Proposed work
- Project settings schema (
src/editor/settings/project-settings.ts): add withCredentials: boolean (default false).
- Settings UI (
src/editor/inspector/settings-panels/network.ts): add a boolean field to the existing NETWORK panel, e.g.
- label:
Asset Credentials (or Load Assets With Credentials)
- path:
withCredentials
- type:
boolean
- reference:
settings:project:withCredentials
- Reference/help text (
src/editor/attributes/reference/settings.ts): add the settings:project:withCredentials entry. Suggested copy: "Send asset requests with credentials (cookies, client certificates, HTTP auth). Enable when assets are served from an authenticated cross-origin host. The server must respond with a non-wildcard Access-Control-Allow-Origin and Access-Control-Allow-Credentials: true."
- Published config export: ensure the setting is written into
config.json application_properties.withCredentials (same export path as maxAssetRetries/maxConcurrentRequests), so the engine reads it before preload.
- Launch tab (
src/launch/viewport/viewport.ts): for parity, set app.loader.withCredentials = projectSettings.get('withCredentials') before app.preload(...) (the preload call at the top of init()). Note the launch preview loads assets from same-origin assetPrefix: '/api/', so cookies already flow there and this is mostly cosmetic — but keep it consistent. (Careful: the existing enableRetry wiring runs after init(); the credentials flag must be set before preload to take effect.)
Caveats to document
- Does not cover
config.json itself (fetched before any property is parsed) or the engine/game/loading-screen <script> tags (fetched by the browser, not the engine HTTP layer). Those must be reachable without credentials, or served same-origin.
- Defaults to
false; purely opt-in, no behavior change for existing projects.
Use case
Reported in playcanvas/engine#1649: textures (and other assets) on an authenticated cross-origin host returned 401 because there was no way to enable withCredentials for asset loads.
Summary
Expose the engine's new global
withCredentialsflag as a project setting, so projects can load assets from an authenticated cross-origin host (CDN/storage that requires cookies, client TLS certificates or HTTP auth) without hand-editing the generated bootstrap.Engine support: playcanvas/engine#8983 (closes playcanvas/engine#1649).
Background
The engine now has a single, global opt-in:
ResourceLoader.withCredentials(boolean, defaultfalse) — forwards to the shared HTTP layer and applies to all XHR-based asset loads (textures, models, audio, JSON, fonts, …).AppBase._parseApplicationPropertiesreadsapplication_properties.withCredentialsand applies it duringconfigure()beforepreload(), so preloaded assets pick it up automatically — exactly the same path already used bymaxAssetRetriesandmaxConcurrentRequests.So the editor side only needs to surface a setting and make sure it lands in the published
config.jsonunderapplication_properties.Proposed work
src/editor/settings/project-settings.ts): addwithCredentials: boolean(defaultfalse).src/editor/inspector/settings-panels/network.ts): add a boolean field to the existing NETWORK panel, e.g.Asset Credentials(orLoad Assets With Credentials)withCredentialsbooleansettings:project:withCredentialssrc/editor/attributes/reference/settings.ts): add thesettings:project:withCredentialsentry. Suggested copy: "Send asset requests with credentials (cookies, client certificates, HTTP auth). Enable when assets are served from an authenticated cross-origin host. The server must respond with a non-wildcardAccess-Control-Allow-OriginandAccess-Control-Allow-Credentials: true."config.jsonapplication_properties.withCredentials(same export path asmaxAssetRetries/maxConcurrentRequests), so the engine reads it before preload.src/launch/viewport/viewport.ts): for parity, setapp.loader.withCredentials = projectSettings.get('withCredentials')beforeapp.preload(...)(the preload call at the top ofinit()). Note the launch preview loads assets from same-originassetPrefix: '/api/', so cookies already flow there and this is mostly cosmetic — but keep it consistent. (Careful: the existingenableRetrywiring runs afterinit(); the credentials flag must be set before preload to take effect.)Caveats to document
config.jsonitself (fetched before any property is parsed) or the engine/game/loading-screen<script>tags (fetched by the browser, not the engine HTTP layer). Those must be reachable without credentials, or served same-origin.false; purely opt-in, no behavior change for existing projects.Use case
Reported in playcanvas/engine#1649: textures (and other assets) on an authenticated cross-origin host returned 401 because there was no way to enable
withCredentialsfor asset loads.