This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Currently we cannot use (or aren't clear if we can use) data: URL. This is because the origin of data: URL isn't clearly defined. In Blink/WebKit, I believe it has its own origin. And AFAIK there is no way to do CORS request against data: URL.
Yes there is. Per http://fetch.spec.whatwg.org/ a data URL will return a response that isn't tainted. It might take some time for everyone to get on board with this architecture but given service workers I think this is the way to go.
(In reply to Anne from comment #1) > Yes there is. Per http://fetch.spec.whatwg.org/ a data URL will return a > response that isn't tainted. > > It might take some time for everyone to get on board with this architecture > but given service workers I think this is the way to go. Thanks for the feedback Anne! So based on the spec, it seems data:// URL should return the response. because it doesn't set response tainting mode and the basic fetch algorithm doesn't see CORS related flags for data: url. That means the imports spec doesn't have to take care of it.
Philip mentioned something on https://code.google.com/p/chromium/issues/detail?id=350741 about re-opening this bug.
Oh, that was poorly phrased, my guess was that the Chromium bug ought to be re-opened. In any event, the spec and Blink now seem to disagree, so I think one of the bugs ought to be re-opened.