In HTML5, some HTML elements which provide support for CORS, such as <img>
, <video>
or <script>
, have a crossorigin
attribute (crossOrigin
property), which lets you configure the CORS requests for the element's fetched data. These attributes are enumerated, and have the following possible values:
Keyword | Description |
anonymous |
CORS requests for this element will not have the credentials flag set. |
use-credentials |
CORS requests for this element will have the credentials flag set; this means the request will provide credentials. |
By default (that is, when the attribute is not specified), CORS is not used at all. The "anonymous" keyword means that there will be no exchange of user credentials via cookies, client-side SSL certificates or HTTP authentication as described in the Terminology section of the CORS specification.
An invalid keyword and an empty string will be handled as the anonymous
keyword.
Example: crossorigin with the script element
You can use the following <script>
element to tell a browser to execute the https://example.com/example-framework.js
script without sending user-credentials.
<script src="https://example.com/example-framework.js" crossorigin="anonymous"></script>
Specifications
Specification | Status | Comment |
---|---|---|
WHATWG HTML Living Standard The definition of 'CORS settings attributes' in that specification. |
Living Standard | |
WHATWG HTML Living Standard The definition of 'crossorigin' in that specification. |
Living Standard |
Browser compatibility
Feature | Chrome | Firefox (Gecko) | Internet Explorer | Opera | Safari (WebKit) |
---|---|---|---|---|---|
Basic support | 13 | 8.0 (8.0) | 11 | No support | (Yes) |
<video> |
? | 12.0 (12.0) | ? | ? | ? |
Feature | Android | Firefox Mobile (Gecko) | IE Mobile | Opera Mobile | Safari Mobile |
---|---|---|---|---|---|
Basic support | ? | 8.0 (8.0) | ? | ? | (Yes) |
<video> |
? | 12.0 (12.0) | ? | ? | ? |