Basically, this is the problem: when loading JS viatags, there is no problem, since tags don't need to honor the same origin policy. When you load JS dynamically (e.g. TinyMCE, Panels, etc.), you're violating the same origin policy. The only way around that in older browsers is by using JSONP. Newer browsers support the CORS specification, which allows you to safely load resources from other origins. See http://www.metaltoad.com/blog/using-jsonp-safely for a nice explanation. Browser support (source: http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing):
CORS is supported by all browsers based on the following layout engines: - Gecko 1.9.1 (Firefox 3.5, SeaMonkey 2.0) and above - WebKit (Initial revision uncertain, Safari 4 and above, Google Chrome 3 and above... possibly earlier) - MSHTML/Trident 4.0 (Internet Explorer 8) provides partial support via the XDomainRequest object. The following browsers are also noteworthy in their lack of CORS support: - Opera does not implement CORS as of version 10.61. - Camino does not implement CORS in the 2.0.x release series as these versions are based on Gecko 1.9.0. - As of version 0.10.2, Arora exposes WebKit's CORS-related APIs, but attempted cross-origin requests will fail. So, unfortunately, we'll still have to use JSONP maintain a blacklist of files (specifically JS files) until all browsers (or at least the majority of all internet visits) support CORS. That's at least a few years away. So there's no real rush to support CORS in the CDN module. However, there is one already fairly common case: the loading of web fonts in Firefox >= 3.5. Web fonts are only supported in recent browsers, and recent browsers support CORS. Hence it makes sense to add CORS support for those files (also see ). See http://openfontlibrary.org/wiki/Blocking_font_linking_from_other_websites for an example. So at least this subset of CORS should be supported by the CDN module. It should at least be documented, but preferably, the CDN module would update the .htaccess file. This does not block the release of version 2.0, it can easily be added later on.