I encountered a pre-release site that uses credentials to protect it from public. Imports in that site failed to load because the UA didn't send credentials. The current behavior solved this problem.
There are a couple of options that I didn't take: - Always send credentials: We clearly shouldn't do this as the same reason why XHR doesn't this. - Introduce @crossorigin attribute: This seemed plausible, but I worried that this can be just redundant and hurts brevity if the credential-protected sites are the mainstream. Once a popular FAQ site recommends to put it all the time, that would become bad news. Then send-only-same-origin looked promising way to go. I think following XHR behavior makes sense because it is well understood as it's been there for a long time and both imports and XHR load documents. I'm not super confident about this though. On Sun, Jul 27, 2014 at 4:18 AM, Anne van Kesteren <ann...@annevk.nl> wrote: > On Tue, Jul 22, 2014 at 12:36 AM, Hajime Morrita <morr...@google.com> > wrote: > > It behaved like that before. I changed it to current one so that it works > > with credential-protected in-house or staged apps. > > You'll need to elaborate a bit, I'm not sure I understand. In any > event, I think XMLHttpRequest's default behavior of only sending > credentials same-origin is somewhat confusing. If we only offer one > mode for rel=import we should either always include credentials (and > thus require more complicated CORS headers) or never. > > > > -- > http://annevankesteren.nl/ > -- morrita