HTML attribute: crossorigin
Thecrossorigin attribute, valid on the<audio>,<img>,<link>,<script>, and<video> elements, provides support forCORS, defining how the element handles cross-origin requests, thereby enabling the configuration of the CORS requests for the element's fetched data. Depending on the element, the attribute can be a CORS settings attribute.
Thecrossorigin content attribute on media elements is a CORS settings attribute.
These attributes areenumerated, and have the following possible values:
anonymousRequest uses CORS headers and credentials flag is set to
'same-origin'. There is no exchange ofuser credentials via cookies, client-side TLS certificates or HTTP authentication, unless destination is the same origin.use-credentialsRequest uses CORS headers, credentials flag is set to
'include'anduser credentials are always included.""Setting the attribute name to an empty value, like
crossoriginorcrossorigin="", is the same asanonymous.
An invalid keyword and an empty string will be handled as theanonymous keyword.
By default (that is, when the attribute is not specified), CORS is not used at all. The user agent will not ask for permission for full access to the resource and in the case of a cross-origin request, certain limitations will be applied based on the type of element concerned:
| Element | Restrictions |
img,audio,video | When resource is placed in<canvas>, element is marked astainted. |
script | Access to error logging viawindow.onerror will be limited. |
link | Request with no appropriatecrossorigin header may be discarded. |
Note:Thecrossorigin attribute is not supported forrel="icon" in Chromium-based browsers. See theopen Chromium issue.
Example:crossorigin with the<script> element
You can use the following<script> element to tell a browser to execute thehttps://example.com/example-framework.js script without sending user-credentials.
<script src="https://example.com/example-framework.js" crossorigin="anonymous"></script>Example: Web manifest with credentials
Theuse-credentials value must be used when fetching amanifest that requires credentials, even if the file is from the same origin.
<link rel="manifest" href="/app.webmanifest" crossorigin="use-credentials" />Specifications
| Specification |
|---|
| HTML # cors-settings-attributes |