Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Revision 1000481 of CORS settings attributes

  • Revision slug: Web/HTML/CORS_settings_attributes
  • Revision title: CORS settings attributes
  • Revision id: 1000481
  • Created:
  • Creator: sakjur
  • Is current revision? Yes
  • Comment Added an example
Tags: 

Revision Content

In HTML5, some HTML elements which provide support for CORS, such as {{ HTMLElement("img") }} or {{ HTMLElement("video") }}, have a crossorigin attribute (crossOrigin property), which lets you configure the CORS requests for the element's fetched data. These attributes are enumerated, and have the following possible values:

Keyword Description
anonymous CORS requests for this element will not have the credentials flag set.
use-credentials CORS requests for this element will have the credentials flag set; this means the request will provide credentials.

By default (that is, when the attribute is not specified), CORS is not used at all. The "anonymous" keyword means that there will be no exchange of user credentials via cookies, client-side SSL certificates or HTTP authentication as described in the Terminology section of the CORS specification.

An invalid keyword and an empty string will be handled as the anonymous keyword.

Example: crossorigin with the script element

You can use the following {{HTMLElement("script")}} element to tell a browser to execute the https://example.com/example-framework.js script without sending user-credentials.

<script src="https://example.com/example-framework.js"
        crossorigin="anonymous"></script>

Specifications

Specification Status Comment
{{SpecName('HTML WHATWG', 'infrastructure.html#cors-settings-attributes', 'CORS settings attributes')}} {{Spec2('HTML WHATWG')}}  
{{SpecName('HTML WHATWG', 'embedded-content.html#attr-img-crossorigin', 'crossorigin')}} {{Spec2('HTML WHATWG')}}  

Browser compatibility

{{ CompatibilityTable() }}

Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari (WebKit)
Basic support 13 {{ CompatGeckoDesktop("8.0") }} 11 {{ CompatNo() }} {{ CompatVersionUnknown() }}
{{ HTMLElement("video")}} {{ CompatUnknown() }} {{ CompatGeckoDesktop("12.0") }} {{ CompatUnknown() }} {{ CompatUnknown() }} {{ CompatUnknown() }}
Feature Android Firefox Mobile (Gecko) IE Mobile Opera Mobile Safari Mobile
Basic support {{ CompatUnknown() }} {{ CompatGeckoMobile("8.0") }} {{ CompatUnknown() }} {{ CompatUnknown() }} {{ CompatVersionUnknown() }}
{{ HTMLElement("video")}} {{ CompatUnknown() }} {{ CompatGeckoMobile("12.0") }} {{ CompatUnknown() }} {{ CompatUnknown() }} {{ CompatUnknown() }}

See also

Revision Source

 
<p><span class="seoSummary">In HTML5, some HTML elements which provide support for <a href="/en-US/docs/HTTP/Access_control_CORS">CORS</a>, such as {{ HTMLElement("img") }} or {{ HTMLElement("video") }}, have a <code>crossorigin</code> attribute (<code>crossOrigin</code> property), which lets you configure the CORS requests for the element's fetched data.</span> These attributes are enumerated, and have the following possible values:</p>

<table class="standard-table">
 <tbody>
  <tr>
   <td class="header">Keyword</td>
   <td class="header">Description</td>
  </tr>
  <tr>
   <td><code>anonymous</code></td>
   <td>CORS requests for this element will not have the credentials flag set.</td>
  </tr>
  <tr>
   <td><code>use-credentials</code></td>
   <td>CORS requests for this element will have the credentials flag set; this means the request will provide credentials.</td>
  </tr>
 </tbody>
</table>

<p>By default (that is, when the attribute is not specified), CORS is not used at all. The "anonymous" keyword means that there will be no exchange of <strong>user credentials</strong> via cookies, client-side SSL certificates or HTTP authentication as described in the <a class="external" href="https://www.w3.org/TR/cors/#user-credentials">Terminology section of the CORS specification</a>.</p>

<p>An invalid keyword and an empty string will be handled as the <code>anonymous</code> keyword.</p>

<h3 id="Example_Subresource_Integrity_with_the_script_element">Example: crossorigin with the script element</h3>

<p>You can use the following {{HTMLElement("script")}} element to tell a browser to execute the <code>https://example.com/example-framework.js</code> script without sending user-credentials.</p>

<pre class="brush: html" name="example">
&lt;script src="https://example.com/example-framework.js"
        crossorigin="anonymous"&gt;&lt;/script&gt;</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <thead>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
 </thead>
 <tbody>
  <tr>
   <td>{{SpecName('HTML WHATWG', 'infrastructure.html#cors-settings-attributes', 'CORS settings attributes')}}</td>
   <td>{{Spec2('HTML WHATWG')}}</td>
   <td>&nbsp;</td>
  </tr>
  <tr>
   <td>{{SpecName('HTML WHATWG', 'embedded-content.html#attr-img-crossorigin', 'crossorigin')}}</td>
   <td>{{Spec2('HTML WHATWG')}}</td>
   <td>&nbsp;</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p>{{ CompatibilityTable() }}</p>

<div id="compat-desktop">
<table class="compat-table">
 <tbody>
  <tr>
   <th>Feature</th>
   <th>Chrome</th>
   <th>Firefox (Gecko)</th>
   <th>Internet Explorer</th>
   <th>Opera</th>
   <th>Safari (WebKit)</th>
  </tr>
  <tr>
   <td>Basic support</td>
   <td>13</td>
   <td>{{ CompatGeckoDesktop("8.0") }}</td>
   <td>11</td>
   <td>{{ CompatNo() }}</td>
   <td>{{ CompatVersionUnknown() }}</td>
  </tr>
  <tr>
   <td>{{ HTMLElement("video")}}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatGeckoDesktop("12.0") }}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
  </tr>
 </tbody>
</table>
</div>

<div id="compat-mobile">
<table class="compat-table">
 <tbody>
  <tr>
   <th>Feature</th>
   <th>Android</th>
   <th>Firefox Mobile (Gecko)</th>
   <th>IE Mobile</th>
   <th>Opera Mobile</th>
   <th>Safari Mobile</th>
  </tr>
  <tr>
   <td>Basic support</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatGeckoMobile("8.0") }}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatVersionUnknown() }}</td>
  </tr>
  <tr>
   <td>{{ HTMLElement("video")}}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatGeckoMobile("12.0") }}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
   <td>{{ CompatUnknown() }}</td>
  </tr>
 </tbody>
</table>
</div>

<h2 id="See_also">See also</h2>

<ul>
 <li><a href="/En/HTTP_access_control" title="en/HTTP access control">HTTP access control</a></li>
</ul>
Revert to this revision