crossorigin="anonymous" added to remoteEntry.js causes CORS errors without the CORS policy

[tokerson]

Hi
First of all, I'd like to say you are doing a great job with the module federation project and we appreciate its rapid development and constant improvements. It's the first discussion I open in this project so please let me know if it should be an issue instead.

My use case
We're using the @module-federation/runtime 0.1.18 in our host to load the remoteEntry.js file from our remote.
After bumping the version from 0.1.18 to 0.1.19 the app suddenly broke due to errors while loading the remoteEntry.js file.
It turned out that the request for it is now being made in a cors mode, while previously it was done in the no-cors mode. I think the reason for it is the change in this PR https://github.com/module-federation/core/pull/2580/files which added crossorigin="anonymous" to the script tag. We managed to fix that by simply setting the CORS policy in the nginx that is serving our remote chunks.

Suggestion for change
On the other hand, all other chunks from the remote are still fetched in the no-cors mode. I think it would be beneficial to unify the approach and trigger all fetches in the same mode or maybe allow devs to decide about this mode via a prop in the init function or something like that. For our case, the cors mode is beneficial since it allows Sentry Replays to save the response codes of the requests to remote correctly. With the no-cors mode, all of the requests in replays have status 0.

I also had issues finding the reason for that change since it is not listed in the CHANGELOG and there are no mentions of the crossorigin property in the documentation.

[tokerson]

Hi, I can see that the problem with CORS has been resolved in this release https://github.com/module-federation/core/releases/tag/v0.2.5 and now all of the requests are again done in the no-cors mode.

However, my question remains still valid. Is there any way that I can set all requests to be handled in the cors mode instead?