If one sets a secure Cross-Origin-Resource-Sharing header on ones own webapp, this tag is blocked (at least in Firefox & Chrome on MacOS):
<script src="https://aframe.io/releases/1.7.1/aframe.min.js"></script>
while this tag is not:
<script src="https://cdn.jsdelivr.net/gh/c-frame/aframe-extras@7.5.2/dist/aframe-extras.loaders.min.js"></script>
The key difference appears to be that the latter is server with the header
cross-origin-resource-policy: cross-origin which says "this resource can be used by any website"
while the former has no such header.
(The header access-control-allow-origin: * sent by aframe.io is relevant to HTML pages served from aframe.io, but is irrelevant to webapps running on other origins.)
If one sets a secure Cross-Origin-Resource-Sharing header on ones own webapp, this tag is blocked (at least in Firefox & Chrome on MacOS):
<script src="https://aframe.io/releases/1.7.1/aframe.min.js"></script>while this tag is not:
<script src="https://cdn.jsdelivr.net/gh/c-frame/aframe-extras@7.5.2/dist/aframe-extras.loaders.min.js"></script>The key difference appears to be that the latter is server with the header
cross-origin-resource-policy: cross-originwhich says "this resource can be used by any website"while the former has no such header.
(The header
access-control-allow-origin: *sent by aframe.io is relevant to HTML pages served from aframe.io, but is irrelevant to webapps running on other origins.)