Module loader

Mark S. Miller erights at google.com
Tue Apr 9 09:39:03 PDT 2013


On Tue, Apr 9, 2013 at 9:33 AM, Brandon Benvie <bbenvie at mozilla.com> wrote:

> On 4/9/2013 9:27 AM, Anne van Kesteren wrote:
>
>> 1) Given translation you're required to use CORS for cross-origin
>> fetching to protect intranets (unfortunate as that may be). So like
>> <script src> is out of the equation. This also means the header is
>> required for such cross-origin resources.
>>
>> 2) I suspect you want a way to opt into using credentials (similar to
>> <script crossorigin=use-credentials src>), but I agree that by default
>> you should not include them (similar to <script crossorigin src>).
>>
>
> Based on these two, it would seem to make sense to tie CORS to the
> translate step. If translation isn't needed (which is the common use case)
> then CORS isn't needed either.


That would be an annoying non-uniformity, but I see the sense of it.
However, if we do adopt that non-uniformity, we should still not send
credentials by default -- even if the request is same origin. In this
regard, we should strive to be safer than the script tag.



>
> ______________________________**_________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/**listinfo/es-discuss<https://mail.mozilla.org/listinfo/es-discuss>
>



-- 
    Cheers,
    --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130409/f27ab793/attachment.html>


More information about the es-discuss mailing list