[webcomponents] [imports]: Respect the crossOrigin attribute (bugzilla: 25568) (#216) from Hayato Ito on 2015-07-06 (public-webapps-github@w3.org from July 2015)

From: Hayato Ito <notifications@github.com>
Date: Mon, 06 Jul 2015 00:40:32 -0700
To: w3c/webcomponents <webcomponents@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/216@github.com>

Title: [imports]: Respect the crossOrigin attribute (bugzilla: 25568)

Migrated from: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25568

----
comment: 0
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25568#c0
*Philip Rogers* wrote on 2014-05-06 03:42:06 +0000.

The 7.4 Fetching Import section states "All imports ... must be loaded using the fetching algorithm with request's origin set to the origin of the master docment [SIC], the mode to CORS and the omit credentials mode to CORS."

Why is the \<link\> crossOrigin attribute[1] not respected here? This would allow non-anonymous imports, for example.

[1] http://www.w3.org/html/wg/drafts/html/master/single-page.html#attr-link-media

----

comment: 1
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25568#c1
*Morrita Hajime* wrote on 2014-05-07 00:59:02 +0000.

This seems a reasonable addition.

----

comment: 2
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25568#c2
*Morrita Hajime* wrote on 2014-05-08 23:22:05 +0000.

...but turns out this is a bit tricky.
That's because cross-origin handling for imports is different from other resources.

We have to touch the definition of CORS setting attribute [1] so that referring
side can override the value of omitted case.

[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#cors-settings-attribute

---
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/216

Received on Monday, 6 July 2015 07:41:16 UTC