HTML content might contain secret data and is reasonably protected by SOP. JS content is poorly protected and shouldn't contain secrets.
I'm not sure, but I think writing up what I said more formally and then proposing something concrete would allow us to find out!
-
-
Hm, okay; if it's just cross-origin loading of privileged information in JS, then, yes, obviously not a good practice
-
But if your JS can be loaded cross-origin, and allows for reading credentialed data, that's more complicated
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.