samth at ccs.neu.edu
Tue Apr 9 07:32:10 PDT 2013
On Tue, Apr 9, 2013 at 10:11 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
> On Tue, Apr 9, 2013 at 2:58 PM, Sam Tobin-Hochstadt <samth at ccs.neu.edu> wrote:
>> On Tue, Apr 9, 2013 at 6:36 AM, Anne van Kesteren <annevk at annevk.nl> wrote:
>>> 1) There should be a way to opt into CORS for cross-origin remote
>>> script debugging.
>> What exactly do you mean here? Our plan is that the module loading
>> facility would follow CORS automatically. This will require slight
>> modification to the current design to support the current
>> CORS-ignoring behavior of <script src="">. In particular, some
>> requests will not go through the translation and link hooks. However,
>> what would opting in to CORS involve, and who would be doing it?
> What do you mean by "follow CORS automatically"? Are you introducing
> fetch semantics that differ from <script>?
Yes, the default fetch behavior will be to follow CORS, rather than to
behave like <script>. This is the only way that things like the
translate hook make sense. Additionally, it's my understanding that
the ability of <script> to avoid CORS is a legacy compatibility issue,
rather than an intentional design.
>>> 2) I think we should force utf-8 decoding on these new types of
>>> resources just as we do with workers and anything else that's new and
>> Which step are you referring to? The module loader API is defined
>> entirely in terms of JS strings, not encoded data. If you're
>> suggesting that the default module loader should have different
>> decoding behavior than <script> or <script src="">, then my initial
>> thought is that that would be a mistake, but I'd be interested in your
> It's what we do for workers and basically any new type of text
> resource. We want to avoid exposing new features to the complexity of
> encodings, the security implications around them, and various other
> issues that keep cropping up. Furthermore, by standardizing these new
> formats on utf-8 we encourage everyone to move to that format and
> avoid these issues.
In that case, it's substantially more difficult to describe the
behavior of existing platform behavior in terms of the module loader
API. Additionally, since the module system is designed to allow
smooth migration from existing code, this seems like it could make
developers lives more difficult in unexpected ways.
More information about the es-discuss