Why the same-origin restriction?

[joeldenning]

In this section, it says the following:

JS module bundles are restricted to just same-origin JS, so they are analogous in scope to what is currently done with popular bundlers like webpack and rollup, not adding more power.

Does this mean that it would not be possible to load a module bundle at https://cdn.example.com/vendors.js from a website on https://www.example.com?

If so, why? The analogy to webpack/rollup here confused me, since it is definitely possible to load webpack bundles cross origin.

Is it a security concern? If so, what attack vector does this address? To me, cross origin loading of module bundles would be extremely common and I can't think of any additional attack vectors introduced via <script type="module" src="//other-origin.com/vendors.js#a"> that doesn't exist with <script type="module" src="//other-origin.com/vendors.js">

[littledan]

It would definitely be possible to have a cross-origin script tag targeting a module bundle, so practical CDN cases should work just fine. What is not permitted is a bundle pretending that resources inside the bundle come from another origin compared to where the bundle is. We should probably clarify the README.

[joeldenning]

I see, thanks for the clarification!