1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
<header><h1>HTML attribute: crossorigin</h1></header><div class="section-content">
<p>The <code>crossorigin</code> attribute, valid on the <a href="../element/audio"><code><audio></code></a>, <a href="../element/img"><code><img></code></a>, <a href="../element/link"><code><link></code></a>, <a href="../element/script"><code><script></code></a>, and <a href="../element/video"><code><video></code></a> elements, provides support for <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">CORS</a>, defining how the element handles cross-origin requests, thereby enabling the configuration of the CORS requests for the element's fetched data. Depending on the element, the attribute can be a CORS settings attribute.</p> <p>The <code>crossorigin</code> content attribute on media elements is a CORS settings attribute.</p> <p>These attributes are <a href="https://developer.mozilla.org/en-US/docs/Glossary/Enumerated">enumerated</a>, and have the following possible values:</p> <dl> <dt id="anonymous"><a href="#anonymous"><code>anonymous</code></a></dt> <dd> <p>Request uses CORS headers and credentials flag is set to <code>'same-origin'</code>. There is no exchange of <strong>user credentials</strong> via cookies, client-side TLS certificates or HTTP authentication, unless destination is the same origin.</p> </dd> <dt id="use-credentials"><a href="#use-credentials"><code>use-credentials</code></a></dt> <dd> <p>Request uses CORS headers, credentials flag is set to <code>'include'</code> and <strong>user credentials</strong> are always included.</p> </dd> <dt id="sect1"><a href="#sect1"><code>""</code></a></dt> <dd> <p>Setting the attribute name to an empty value, like <code>crossorigin</code> or <code>crossorigin=""</code>, is the same as <code>anonymous</code>.</p> </dd> </dl> <p>An invalid keyword and an empty string will be handled as the <code>anonymous</code> keyword.</p> <p>By default (that is, when the attribute is not specified), CORS is not used at all. The user agent will not ask for permission for full access to the resource and in the case of a cross-origin request, certain limitations will be applied based on the type of element concerned:</p> <figure class="table-container"><div class="_table"><table class="no-markdown"> <tbody> <tr> <th class="header">Element</th> <th class="header">Restrictions</th> </tr> <tr> <td>
<code>img</code>, <code>audio</code>, <code>video</code>
</td> <td>When resource is placed in <a href="../element/canvas"><code><canvas></code></a>, element is marked as <a href="../cors_enabled_image#security_and_tainted_canvases"><em>tainted</em></a>.</td> </tr> <tr> <td><code>script</code></td> <td>Access to error logging via <a href="https://developer.mozilla.org/en-US/docs/Web/API/Window/error_event"><code>window.onerror</code></a> will be limited.</td> </tr> <tr> <td><code>link</code></td> <td>Request with no appropriate <code>crossorigin</code> header may be discarded.</td> </tr> </tbody> </table></div></figure> <div class="notecard note" id="sect2"> <p><strong>Note:</strong> The <code>crossorigin</code> attribute is not supported for <a href="rel#icon"><code>rel="icon"</code></a> in Chromium-based browsers. See the <a href="https://crbug.com/1121645" target="_blank">open Chromium issue</a>.</p> </div>
</div>
<h3 id="example_crossorigin_with_the_script_element">Example: <code>crossorigin</code> with the <code><script></code> element</h3>
<div class="section-content">
<p>You can use the following <a href="../element/script"><code><script></code></a> element to tell a browser to execute the <code>https://example.com/example-framework.js</code> script without sending user-credentials.</p> <div class="code-example">
<p class="example-header"><span class="language-name">html</span></p>
<pre data-signature="gmqRYTcssVuwG1FefnItqBu/UE7w3Jg+n1G/xD9L18g=" data-language="html"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>script</span>
<span class="token attr-name">src</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>https://example.com/example-framework.js<span class="token punctuation">"</span></span>
<span class="token attr-name">crossorigin</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>anonymous<span class="token punctuation">"</span></span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>script</span><span class="token punctuation">></span></span>
</pre>
</div>
</div>
<h3 id="example_web_manifest_with_credentials">Example: Web manifest with credentials</h3>
<div class="section-content">
<p>The <code>use-credentials</code> value must be used when fetching a <a href="https://developer.mozilla.org/en-US/docs/Web/Manifest">manifest</a> that requires credentials, even if the file is from the same origin.</p> <div class="code-example">
<p class="example-header"><span class="language-name">html</span></p>
<pre data-signature="qUcPtbg+8FhpveA2KUhgWKnN9kHckcDS7x8ZhcAtFJA=" data-language="html"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>link</span> <span class="token attr-name">rel</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>manifest<span class="token punctuation">"</span></span> <span class="token attr-name">href</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>/app.webmanifest<span class="token punctuation">"</span></span> <span class="token attr-name">crossorigin</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>use-credentials<span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span>
</pre>
</div>
</div>
<h2 id="specifications">Specifications</h2>
<div class="_table"><table class="standard-table">
<thead><tr><th scope="col">Specification</th></tr></thead>
<tbody><tr><td><a href="https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-settings-attributes">HTML Standard <br><small># cors-settings-attributes</small></a></td></tr></tbody>
</table></div>
<h2 id="browser_compatibility">Browser compatibility</h2>
<div class="_table"><table>
<thead>
<tr id="bct-browser-type">
<th></th>
<th colspan="6">Desktop</th>
<th colspan="6">Mobile</th>
</tr>
<tr id="bct-browsers">
<th></th>
<th>Chrome</th>
<th>Edge</th>
<th>Firefox</th>
<th>Internet Explorer</th>
<th>Opera</th>
<th>Safari</th>
<th>WebView Android</th>
<th>Chrome Android</th>
<th>Firefox for Android</th>
<th>Opera Android</th>
<th>Safari on IOS</th>
<th>Samsung Internet</th>
</tr>
</thead>
<tbody><tr>
<th><code>crossorigin</code></th>
<td class="bc-supports-yes">33</td>
<td class="bc-supports-yes">≤18</td>
<td class="bc-supports-yes">74<details><summary>12–74</summary>With <code>crossorigin="use-credentials"</code>, cookies aren't sent during seek. See <a href="https://bugzil.la/1532722">bug 1532722</a>.</details>
</td>
<td class="bc-supports-no">No</td>
<td class="bc-supports-yes">20</td>
<td class="bc-supports-yes">10</td>
<td class="bc-supports-yes">4.4.3</td>
<td class="bc-supports-yes">33</td>
<td class="bc-supports-yes">79<details><summary>14–79</summary>With <code>crossorigin="use-credentials"</code>, cookies aren't sent during seek. See <a href="https://bugzil.la/1532722">bug 1532722</a>.</details>
</td>
<td class="bc-supports-yes">20</td>
<td class="bc-supports-yes">10</td>
<td class="bc-supports-yes">2.0</td>
</tr></tbody>
</table></div>
<div class="_table"><table>
<thead>
<tr id="bct-browser-type">
<th></th>
<th colspan="6">Desktop</th>
<th colspan="6">Mobile</th>
</tr>
<tr id="bct-browsers">
<th></th>
<th>Chrome</th>
<th>Edge</th>
<th>Firefox</th>
<th>Internet Explorer</th>
<th>Opera</th>
<th>Safari</th>
<th>WebView Android</th>
<th>Chrome Android</th>
<th>Firefox for Android</th>
<th>Opera Android</th>
<th>Safari on IOS</th>
<th>Samsung Internet</th>
</tr>
</thead>
<tbody><tr>
<th><code>crossorigin</code></th>
<td class="bc-supports-yes">19</td>
<td class="bc-supports-yes">14</td>
<td class="bc-supports-yes">14</td>
<td class="bc-supports-no">No</td>
<td class="bc-supports-yes">12</td>
<td class="bc-supports-yes"><details><summary>6</summary>The <code>crossorigin</code> attribute was implemented in WebKit in WebKit <a href="https://webkit.org/b/81438">bug 81438</a>.</details></td>
<td class="bc-supports-yes">4.4</td>
<td class="bc-supports-yes">25</td>
<td class="bc-supports-yes">14</td>
<td class="bc-supports-yes">12</td>
<td class="bc-supports-yes"><details><summary>6</summary>The <code>crossorigin</code> attribute was implemented in WebKit in WebKit <a href="https://webkit.org/b/81438">bug 81438</a>.</details></td>
<td class="bc-supports-yes">1.5</td>
</tr></tbody>
</table></div>
<div class="_table"><table>
<thead>
<tr id="bct-browser-type">
<th></th>
<th colspan="6">Desktop</th>
<th colspan="6">Mobile</th>
</tr>
<tr id="bct-browsers">
<th></th>
<th>Chrome</th>
<th>Edge</th>
<th>Firefox</th>
<th>Internet Explorer</th>
<th>Opera</th>
<th>Safari</th>
<th>WebView Android</th>
<th>Chrome Android</th>
<th>Firefox for Android</th>
<th>Opera Android</th>
<th>Safari on IOS</th>
<th>Samsung Internet</th>
</tr>
</thead>
<tbody><tr>
<th><code>crossorigin</code></th>
<td class="bc-supports-yes">34</td>
<td class="bc-supports-yes">17</td>
<td class="bc-supports-yes"><details><summary>18</summary>Before Firefox 83, <code>crossorigin</code> is not supported for <code>rel="icon"</code>.</details></td>
<td class="bc-supports-no">No</td>
<td class="bc-supports-yes">21</td>
<td class="bc-supports-yes">10</td>
<td class="bc-supports-yes">37</td>
<td class="bc-supports-yes">34</td>
<td class="bc-supports-yes"><details><summary>18</summary>Before Firefox 83, <code>crossorigin</code> is not supported for <code>rel="icon"</code>.</details></td>
<td class="bc-supports-yes">21</td>
<td class="bc-supports-yes">10</td>
<td class="bc-supports-yes">2.0</td>
</tr></tbody>
</table></div>
<div class="_table"><table>
<thead>
<tr id="bct-browser-type">
<th></th>
<th colspan="6">Desktop</th>
<th colspan="6">Mobile</th>
</tr>
<tr id="bct-browsers">
<th></th>
<th>Chrome</th>
<th>Edge</th>
<th>Firefox</th>
<th>Internet Explorer</th>
<th>Opera</th>
<th>Safari</th>
<th>WebView Android</th>
<th>Chrome Android</th>
<th>Firefox for Android</th>
<th>Opera Android</th>
<th>Safari on IOS</th>
<th>Samsung Internet</th>
</tr>
</thead>
<tbody><tr>
<th><code>crossorigin</code></th>
<td class="bc-supports-yes">13</td>
<td class="bc-supports-yes">12</td>
<td class="bc-supports-yes">8</td>
<td class="bc-supports-yes">Yes</td>
<td class="bc-supports-yes">15</td>
<td class="bc-supports-yes">6</td>
<td class="bc-supports-yes">4.4</td>
<td class="bc-supports-yes">18</td>
<td class="bc-supports-yes">8</td>
<td class="bc-supports-yes">14</td>
<td class="bc-supports-yes">6</td>
<td class="bc-supports-yes">1.0</td>
</tr></tbody>
</table></div>
<h3 id="html.elements.img.crossorigin">html.elements.img.crossorigin</h3>
<p>BCD tables only load in the browser<noscript> with JavaScript enabled. Enable JavaScript to view data.</noscript></p>
<h3 id="html.elements.link.crossorigin">html.elements.link.crossorigin</h3>
<p>BCD tables only load in the browser<noscript> with JavaScript enabled. Enable JavaScript to view data.</noscript></p>
<h3 id="html.elements.script.crossorigin">html.elements.script.crossorigin</h3>
<p>BCD tables only load in the browser<noscript> with JavaScript enabled. Enable JavaScript to view data.</noscript></p>
<h3 id="html.elements.video.crossorigin">html.elements.video.crossorigin</h3>
<p>BCD tables only load in the browser<noscript> with JavaScript enabled. Enable JavaScript to view data.</noscript></p>
<h2 id="see_also">See also</h2>
<div class="section-content"><ul> <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">Cross-Origin Resource Sharing (CORS)</a></li> <li><a href="rel">HTML attribute: <code>rel</code></a></li> </ul></div><div class="_attribution">
<p class="_attribution-p">
© 2005–2023 MDN contributors.<br>Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.<br>
<a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin" class="_attribution-link">https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin</a>
</p>
</div>
|
