21226 2013-03-08 18:06:46 +0000 [Imports]: Components fetching should always use CORS. 2013-09-19 01:55:40 +0000 1 1 1 Unclassified WebAppsWG HISTORICAL - Component Model unspecified PC All RESOLVED FIXED P2 normal --- 20683 1 dglazkov dglazkov annevk esprehn morrita zcorpan public-webapps-bugzilla oldest_to_newest 84125 0 dglazkov 2013-03-08 18:06:46 +0000 Otherwise, there's a nasty side effect of being able to exploit a document by treating it as a component. 85119 1 annevk 2013-03-28 19:46:48 +0000 There's also the opposite scenario of a hostile component. 85826 2 zcorpan 2013-04-09 21:15:08 +0000 Please also see http://www.w3.org/mid/op.wuyfg2o4idj3kv@simons-macbook-pro.local 90956 3 dglazkov 2013-07-18 22:39:17 +0000 Did I get this right? https://dvcs.w3.org/hg/webcomponents/rev/27c0e8822ebb 90959 4 dglazkov 2013-07-18 22:48:17 +0000 3:42 PM <annevk> dglazkov: so now you cannot have CORS-cross-origin resources so that part of the spec doesn't make sense anymore 3:43 PM <annevk> dglazkov: you also need to say what happens if fetching failed 3:44 PM <annevk> I guess it's mostly fine otherwise, although I wonder if it shouldn't use a crossorigin attribute on <link> like most other things we have 90995 5 dglazkov 2013-07-19 17:27:58 +0000 (In reply to comment #4) > 3:44 PM <annevk> although I wonder if it > shouldn't use a crossorigin attribute on <link> like most other things we > have But then if you don't specify the attribute, you'll just have a No CORS state, right? 90999 6 annevk 2013-07-19 17:46:33 +0000 The <track> element works like that, yes. No real opinion on what is better, but some consistency throughout would be good. 93542 7 morrita 2013-09-19 01:55:40 +0000 (In reply to Anne from comment #6) > The <track> element works like that, yes. No real opinion on what is better, > but some consistency throughout would be good. For <track>, it makes sense to load it but not to expose the detail through API. So having @crossorigin (on its parent <media>) makes sense. However for imports, it doesn't make sense to do that: Unlike movie subtitles, API-invisible imports aren't useful at all. Theoretically we could possibly have @crossorigin for imports so that the author can make requests with credentials. But I don't see any usecase for that. In contrast, not having @crossdomain makes the usage easier/simpler. If we introduce @crossorigin, people needs to give @crossorigin all the time once they want it CDN-aware, which is sad. I prefer to have better default than to just make the orange consistent to apples. I'm closing this for now. Feel free to reopen this to continue conversation.