By default <script type="module"> will omit credentials for all module fetches, much like the default for fetch().
However…
<!-- No credentials -->
<script type="module" src="foo.js"></script>
<!-- With credentials -->
<script type="module" src="foo.js" crossorigin></script>
It feels really weird that crossorigin implies adding credentials for same-origin requests.
By default
<script type="module">will omit credentials for all module fetches, much like the default forfetch().However…
It feels really weird that
crossoriginimplies adding credentials for same-origin requests.