This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 25568 - [imports]: Respect the crossOrigin attribute
Summary: [imports]: Respect the crossOrigin attribute
Status: RESOLVED MOVED
Alias: None
Product: WebAppsWG
Classification: Unclassified
Component: HISTORICAL - Component Model (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: ---
Assignee: Morrita Hajime
QA Contact: public-webapps-bugzilla
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 20683
  Show dependency treegraph
 
Reported: 2014-05-06 03:42 UTC by Philip Rogers
Modified: 2015-07-06 08:14 UTC (History)
4 users (show)

See Also:

Attachments

Description Philip Rogers 2014-05-06 03:42:06 UTC 
The 7.4 Fetching Import section states "All imports ... must be loaded using the fetching algorithm with request's origin set to the origin of the master docment [SIC], the mode to CORS and the omit credentials mode to CORS."

Why is the <link> crossOrigin attribute[1] not respected here? This would allow non-anonymous imports, for example.

[1] http://www.w3.org/html/wg/drafts/html/master/single-page.html#attr-link-media
Comment 1 Morrita Hajime 2014-05-07 00:59:02 UTC 
This seems a reasonable addition.
Comment 2 Morrita Hajime 2014-05-08 23:22:05 UTC 
...but turns out this is a bit tricky.
That's because cross-origin handling for imports is different from other resources.

We have to touch the definition of CORS setting attribute [1] so that referring
side can override the value of omitted case.

[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#cors-settings-attribute
Comment 3 Hayato Ito 2015-07-06 08:14:56 UTC 
Moved to https://github.com/w3c/webcomponents/issues/216