This article needs a technical review. How you can help.
In HTML5, some HTML elements which provide support for CORS, such as <img> or <video>, have a crossorigin attribute (crossOrigin property), which lets you configure the CORS requests for the element's fetched data. These attributes are enumerated, and have the following possible values:
| Keyword | Description |
anonymous |
CORS requests for this element will not have the credentials flag set. |
use-credentials |
CORS requests for this element will have the credentials flag set; this means the request will provide credentials. |
By default (that is, when the attribute is not specified), CORS is not used at all. The "anonymous" keyword means that there will be no exchange of user credentials via cookies, client-side SSL certificates or HTTP authentication as described in the Terminology section of the CORS specification.
An invalid keyword and an empty string will be handled as the anonymous keyword.
Example: crossorigin with the script element
You can use the following <script> element to tell a browser to execute the https://example.com/example-framework.js script without sending user-credentials.
<script src="https://example.com/example-framework.js"
crossorigin="anonymous"></script>
Specifications
| Specification | Status | Comment |
|---|---|---|
| WHATWG HTML Living Standard The definition of 'CORS settings attributes' in that specification. |
Living Standard | |
| WHATWG HTML Living Standard The definition of 'crossorigin' in that specification. |
Living Standard |
Browser compatibility
| Feature | Chrome | Firefox (Gecko) | Internet Explorer | Opera | Safari (WebKit) |
|---|---|---|---|---|---|
| Basic support | 13 | 8.0 (8.0) | 11 | Not supported | (Yes) |
<video> |
? | 12.0 (12.0) | ? | ? | ? |
| Feature | Android | Firefox Mobile (Gecko) | IE Mobile | Opera Mobile | Safari Mobile |
|---|---|---|---|---|---|
| Basic support | ? | 8.0 (8.0) | ? | ? | (Yes) |
<video> |
? | 12.0 (12.0) | ? | ? | ? |