dherman at mozilla.com
Tue Apr 9 14:03:21 PDT 2013
On Apr 9, 2013, at 9:33 AM, Brandon Benvie <bbenvie at mozilla.com> wrote:
> On 4/9/2013 9:27 AM, Anne van Kesteren wrote:
>> 1) Given translation you're required to use CORS for cross-origin
>> fetching to protect intranets (unfortunate as that may be). So like
>> <script src> is out of the equation. This also means the header is
>> required for such cross-origin resources.
>> 2) I suspect you want a way to opt into using credentials (similar to
>> <script crossorigin=use-credentials src>), but I agree that by default
>> you should not include them (similar to <script crossorigin src>).
> Based on these two, it would seem to make sense to tie CORS to the translate step. If translation isn't needed (which is the common use case) then CORS isn't needed either.
This is closer to what we've been talking about doing. My rough plan (still working through details) is to preserve the separation of JS from web by allowing a loader to disallow some module sources from going through the translate step. Then the browser's built-in loader will be defined to allow cross-origin modules without CORS headers to be loaded but not translated.
More information about the es-discuss