On 4/9/2013 9:27 AM, Anne van Kesteren wrote:
> 1) Given translation you're required to use CORS for cross-origin
> fetching to protect intranets (unfortunate as that may be). So like
> <script src> is out of the equation. This also means the header is
> required for such cross-origin resources.
>
> 2) I suspect you want a way to opt into using credentials (similar to
> <script crossorigin=use-credentials src>), but I agree that by default
> you should not include them (similar to <script crossorigin src>).

Based on these two, it would seem to make sense to tie CORS to the 
translate step. If translation isn't needed (which is the common use 
case) then CORS isn't needed either.

On 4/9/2013 9:27 AM, Anne van Kesteren wrote:
> 1. Given translation you're required to use CORS for cross-origin fetching to protect intranets (unfortunate as that may be). So like `<script src>` is out of the equation. This also means the header is required for such cross-origin resources.
>
> 2. I suspect you want a way to opt into using credentials (similar to `<script crossorigin=use-credentials src>`), but I agree that by default you should not include them (similar to `<script crossorigin src>`).

Based on these two, it would seem to make sense to tie CORS to the translate step. If translation isn't needed (which is the common use case) then CORS isn't needed either.