HTML attribute: crossorigin
Draft: This page is not complete.
The crossorigin attribute, valid on the <audio>, <img>, <link>, <script>, and <video> elements, provides support for CORS, defining how the element handles crossorigin requests, thereby enabling the configuration of the CORS requests for the element's fetched data. Depending on the element, the attribute can be a CORS settings attribute.
The crossorigin content attribute on media elements is a CORS settings attribute.
These attributes are enumerated, and have the following possible values:
| Keyword | Description |
|---|---|
anonymous | CORS requests for this element will have the credentials flag set to 'same-origin'. |
use-credentials | CORS requests for this element will have the credentials flag set to 'include'. |
"" | Setting the attribute name to an empty value, like crossorigin or crossorigin="", is the same as anonymous. |
By default (that is, when the attribute is not specified), CORS is not used at all. The "anonymous" keyword means that there will be no exchange of user credentials via cookies, client-side SSL certificates or HTTP authentication as described in the Terminology section of the CORS specification, unless it is in the same origin.
An invalid keyword and an empty string will be handled as the anonymous keyword.
Note: Prior to Firefox 83 the crossorigin attribute was not supported for rel="icon" there is also an open issue for Chrome.
Example: crossorigin with the script element
You can use the following <script> element to tell a browser to execute the https://example.com/example-framework.js script without sending user-credentials.
<script src="https://example.com/example-framework.js" crossorigin="anonymous"></script>
Example: Webmanifest with credentials
The use-credentials value must be used when fetching a manifest that requires credentials, even if the file is from the same origin.
<link rel="manifest" href="/app.webmanifest" crossorigin="use-credentials">
Specifications
| Specification | Status | Comment |
|---|---|---|
| HTML Living Standard The definition of 'CORS settings attributes' in that specification. | Living Standard | |
| HTML Living Standard The definition of 'crossorigin' in that specification. | Living Standard |
Browser compatibility
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | WebView Android | Chrome Android | Firefox for Android | Opera Android | Safari on IOS | Samsung Internet | |
crossorigin |
25 |
79 |
18
Before Firefox 83,
crossorigin is not supported for rel="icon". |
No |
15 |
? |
37 |
Yes |
18 |
? |
? |
Yes |
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | WebView Android | Chrome Android | Firefox for Android | Opera Android | Safari on IOS | Samsung Internet | |
crossorigin |
? |
≤18 |
74
12-74
With
crossorigin="use-credentials", cookies aren't sent during seek. See bug 1532722. |
? |
? |
? |
? |
? |
79
14-79
With
crossorigin="use-credentials", cookies aren't sent during seek. See bug 1532722. |
? |
? |
? |
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | WebView Android | Chrome Android | Firefox for Android | Opera Android | Safari on IOS | Samsung Internet | |
crossorigin |
30 |
≤18 |
13 |
No |
12 |
Yes
The
crossorigin attribute was implemented in WebKit in WebKit bug 81438. |
Yes |
Yes |
14 |
? |
? |
Yes |
BCD tables only load in the browser
video crossorigin
BCD tables only load in the browser
link crossorigin
BCD tables only load in the browser
See also
© 2005–2021 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin