I encountered a pre-release site that uses credentials to protect it from
Imports in that site failed to load because the UA didn't send credentials.
The current behavior solved this problem.

There are a couple of options that I didn't take:

- Always send credentials: We clearly shouldn't do this as the same reason
why XHR doesn't this.

- Introduce @crossorigin attribute: This seemed plausible, but I worried
that this can be just redundant and hurts brevity
  if the credential-protected sites are the mainstream.
  Once a popular FAQ site recommends to put it all the time, that would
become bad news.

Then send-only-same-origin looked promising way to go.
I think following XHR behavior makes sense because it is well understood as
it's been there for a long time and both imports and XHR load documents.
I'm not super confident about this though.

On Sun, Jul 27, 2014 at 4:18 AM, Anne van Kesteren <ann...@annevk.nl> wrote:

> On Tue, Jul 22, 2014 at 12:36 AM, Hajime Morrita <morr...@google.com>
> wrote:
> > It behaved like that before. I changed it to current one so that it works
> > with credential-protected in-house or staged apps.
> You'll need to elaborate a bit, I'm not sure I understand. In any
> event, I think XMLHttpRequest's default behavior of only sending
> credentials same-origin is somewhat confusing. If we only offer one
> mode for rel=import we should either always include credentials (and
> thus require more complicated CORS headers) or never.

> --
> http://annevankesteren.nl/


Reply via email to