And the solution for me was to add the crossorigin="use-credentials"
attribute to the manifest’s link element.
<link rel="manifest" href=”manifest.json” crossorigin="use-credentials" />
References
https://stackoverflow.com/questions/67259947/access-to-web-manifest-blocked-by-cors-policy