On Tue, Jul 22, 2014 at 12:36 AM, Hajime Morrita <morr...@google.com> wrote: > It behaved like that before. I changed it to current one so that it works > with credential-protected in-house or staged apps.
You'll need to elaborate a bit, I'm not sure I understand. In any event, I think XMLHttpRequest's default behavior of only sending credentials same-origin is somewhat confusing. If we only offer one mode for rel=import we should either always include credentials (and thus require more complicated CORS headers) or never. -- http://annevankesteren.nl/