The behavior of 'crossorigin' without a value is the same as
anonymous, which means user credentials such as cookies,
client-side SSL certificates or HTTP authentication will
not be passed on.
We want the preload links to work even when they are behind
a proxy that requires an authentication cookie, such as
Cloudflare Access (CF_Authorization), so we need to explicitly
send credentials with the "use-credentials" value.
ES modules are always fetched with CORS, with anonymous being
the default. Some browsers (Chromium) will realize that the
request is to the same origin, and send credentials anyways,
while others (Safari) will not, so we need to explicitly send
credentials to make sure they load in all cases.
See https://jakearchibald.com/2017/es-modules-in-browsers/