Source maps are extremely helpful when stepping through minified library code, among other things. The first few lines of a .js file using source maps could look like this by default:
/*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license
//@ sourceMappingURL=jquery.min.map
*/
If you don't have jquery.min.map in the same directory, a browser that supports source mapping will make a redundant http request resulting in a 404 error (sounds familiar, favicon anyone?).
I've noticed that sourceMappingURL could point to another domain; I'm not advocating the practice but it seems peculiar that it wouldn't be subject to CORS:
/*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license
//@ sourceMappingURL=//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.map
*/
Are mapped unminified sources safe? i.e. if in the example above the mapped server were compromised and malicious code added to the source, could/would it get executed? What about if you're debugging code and stepping through it? I can't find any implementation details that would answer this.
When you step through code, you're executing the minified code, not the code in the source map. The source map is just used for display in the debugger.