HTML attribute: crossorigin
The crossorigin attribute, valid on the <audio>, <img>, <link>, <script>, and <video> elements, provides support for CORS, defining how the element handles crossorigin requests, thereby enabling the configuration of the CORS requests for the element's fetched data. Depending on the element, the attribute can be a CORS settings attribute.
The crossorigin content attribute on media elements is a CORS settings attribute.
These attributes are enumerated, and have the following possible values:
| Keyword | Description |
anonymous |
Request uses CORS headers and credentials flag is set to 'same-origin'. There is no exchange of **user credentials** via cookies, client-side SSL certificates or HTTP authentication, unless destination is the same origin. |
use-credentials |
Request uses CORS headers, credentials flag is set to 'include' and **user credentials** are always included. |
"" |
Setting the attribute name to an empty value, like
crossorigin or crossorigin="", is the same as
anonymous.
|
An invalid keyword and an empty string will be handled as the anonymous keyword.
By default (that is, when the attribute is not specified), CORS is not used at all. User-agent will not ask for permission for full access to the resource and in case of cross-origin request, its usage will be limited in following ways:
| Element | Restrictions |
img, audio, video |
When resource is placed in <canvas>, element is marked as "[tainted](/en-US/docs/Web/HTML/CORS_enabled_image#what_is_a_tainted_canvas)". |
script |
Access to error logging via window.onerror will be limited. |
link |
Request with no appropriate `crossorigin` header may be discarded. |
Note: Prior to Firefox 83 the crossorigin attribute was not supported for rel="icon" there is also an open issue for Chrome.
Example: crossorigin with the script element
You can use the following <script> element to tell a browser to execute the https://example.com/example-framework.js script without sending user-credentials.
<script src="https://example.com/example-framework.js" crossorigin="anonymous"></script>
Example: Webmanifest with credentials
The use-credentials value must be used when fetching a manifest that requires credentials, even if the file is from the same origin.
<link rel="manifest" href="/app.webmanifest" crossorigin="use-credentials">
Specifications
| Specification |
|---|
| HTML Standard # cors-settings-attributes |
| HTML Standard # attr-img-crossorigin |
Browser compatibility
script crossorigin
BCD tables only load in the browser
video crossorigin
BCD tables only load in the browser
link crossorigin
BCD tables only load in the browser