On Apr 9, 2013, at 9:33 AM, Brandon Benvie <[email protected]> wrote:
> On 4/9/2013 9:27 AM, Anne van Kesteren wrote: >> 1) Given translation you're required to use CORS for cross-origin >> fetching to protect intranets (unfortunate as that may be). So like >> <script src> is out of the equation. This also means the header is >> required for such cross-origin resources. >> >> 2) I suspect you want a way to opt into using credentials (similar to >> <script crossorigin=use-credentials src>), but I agree that by default >> you should not include them (similar to <script crossorigin src>). > > Based on these two, it would seem to make sense to tie CORS to the translate > step. If translation isn't needed (which is the common use case) then CORS > isn't needed either. This is closer to what we've been talking about doing. My rough plan (still working through details) is to preserve the separation of JS from web by allowing a loader to disallow some module sources from going through the translate step. Then the browser's built-in loader will be defined to allow cross-origin modules without CORS headers to be loaded but not translated. Dave _______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
