Modern web platform features, such as <script type="module">, CSS fonts, and web app manifest, use the "cors" fetch mode. This is in contrast to legacy features such as <img> and classic <script>.

This change is important for security, especially in light of Spectre. It obviates the need for obtuse workarounds like CORP, ORB, and cross-origin tainting.

I'd like to strongly request that <model> follow this guideline and use "cors" for all its fetches. (Thus, it can only load models cross-origin if they opt in with Access-Control-Allow-Origin: *.)

I originally filed this as WebKit/explainers#63 but it seems the draft resolved in a different direction.

See also w3ctag/design-principles#238.