bbenvie at mozilla.com
Tue Apr 9 09:33:08 PDT 2013
On 4/9/2013 9:27 AM, Anne van Kesteren wrote:
> 1) Given translation you're required to use CORS for cross-origin
> fetching to protect intranets (unfortunate as that may be). So like
> <script src> is out of the equation. This also means the header is
> required for such cross-origin resources.
> 2) I suspect you want a way to opt into using credentials (similar to
> <script crossorigin=use-credentials src>), but I agree that by default
> you should not include them (similar to <script crossorigin src>).
Based on these two, it would seem to make sense to tie CORS to the
translate step. If translation isn't needed (which is the common use
case) then CORS isn't needed either.
More information about the es-discuss