- make sure all script files are served with CORS Allow-Origin headers
- make sure script tags added by ResourceLoader in the process of module loading have a crossorigin="anonymous" attribute
This should only be done if T507 shows that CORS fetches work reliably for the overwhelming majority of users.
If this turns out to be problematic, T513 could be an alternative.