Steps to Reproduce

Start with an empty app, add e.g. <script src="proxy.php?url=https://cdn.auth0.com/js/auth0-spa-js/1.2/auth0-spa-js.production.js"></script> and call to auth0 api for authorization.

Expected results:

Auth0 api works as is.

Actual results:

When built in production mode and service worker is allowed, calls to Auth0 api fail with

Access to fetch at 'https://MYORG.auth0.com/oauth/token' from origin 'https://MYDOMAIN.COM' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.

I'm pretty sure it's because #48344 introduces the following code:

self.addEventListener('fetch', function (event) {
  event.respondWith(
    caches.match(event.request)
      .then(function (response) {
        if (response) {
          return response;
        }
        return fetch(event.request, {
          credentials: 'include'
        });
      })
  );
});

Effectively, that means the service worker will attempt to serve the flutter build artefacts from cache and pass-through the others. For whatever reason, it also injects credentials: 'include' to every request now and that breaks third-party apis that didn't expect that and don't set Access-Control-Allow-Credentials.