Cross-origin module scripts require CORS response headers
- Published at
- Updated at
- Reading time
While reading Jake Archibald's article How to win at CORS, I learned that classic and module scripts treat CORS (Cross-Origin Resource Sharing) differently.
<!-- Not a CORS request --> <script src="https://example.com/script.js"></script> <!-- CORS request --> <script type="module" src="https://example.com/script.js"></script>
Access-Control-Allow-Origin header or it will be blocked by the browser.
Classic scripts don't require it to not break the web and guarantee backward compatibility. Very interesting! If you want to learn more, read the article. It's a good one.