On Tue, Apr 9, 2013 at 9:33 AM, Brandon Benvie <[email protected]> wrote:
> On 4/9/2013 9:27 AM, Anne van Kesteren wrote: > >> 1) Given translation you're required to use CORS for cross-origin >> fetching to protect intranets (unfortunate as that may be). So like >> <script src> is out of the equation. This also means the header is >> required for such cross-origin resources. >> >> 2) I suspect you want a way to opt into using credentials (similar to >> <script crossorigin=use-credentials src>), but I agree that by default >> you should not include them (similar to <script crossorigin src>). >> > > Based on these two, it would seem to make sense to tie CORS to the > translate step. If translation isn't needed (which is the common use case) > then CORS isn't needed either. That would be an annoying non-uniformity, but I see the sense of it. However, if we do adopt that non-uniformity, we should still not send credentials by default -- even if the request is same origin. In this regard, we should strive to be safer than the script tag. > > ______________________________**_________________ > es-discuss mailing list > [email protected] > https://mail.mozilla.org/**listinfo/es-discuss<https://mail.mozilla.org/listinfo/es-discuss> > -- Cheers, --MarkM
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
