Web/HTML/Attributes/crossorigin

From Get docs

Draft This page is not complete.


The crossorigin attribute, valid on the <audio>, <img>, <link>, <script>, and <video> elements, provides support for CORS, defining how the element handles crossorigin requests, thereby enabling the configuration of the CORS requests for the element's fetched data. Depending on the element, the attribute can be a CORS settings attribute.

The crossorigin content attribute on media elements is a CORS settings attribute.

These attributes are enumerated, and have the following possible values:

Keyword Description
anonymous CORS requests for this element will have the credentials flag set to 'same-origin'.
use-credentials CORS requests for this element will have the credentials flag set to 'include'.
"" Setting the attribute name to an empty value, like crossorigin or crossorigin="", is the same as anonymous.

By default (that is, when the attribute is not specified), CORS is not used at all. The "anonymous" keyword means that there will be no exchange of user credentials via cookies, client-side SSL certificates or HTTP authentication as described in the Terminology section of the CORS specification, unless it is in the same origin.

An invalid keyword and an empty string will be handled as the anonymous keyword.

Prior to Firefox 83 the crossorigin attribute was not supported for rel="icon" there is also an open issue for Chrome.


Example: crossorigin with the script element

You can use the following <script> element to tell a browser to execute the https://example.com/example-framework.js script without sending user-credentials.

<script src="https://example.com/example-framework.js" crossorigin="anonymous"></script>

Example: Webmanifest with credentials

The use-credentials value must be used when fetching a manifest that requires credentials, even if the file is from the same origin.

<link rel="manifest" href="/app.webmanifest" crossorigin="use-credentials">

Specifications

Specification Status Comment
HTML Living StandardThe definition of 'CORS settings attributes' in that specification. Living Standard
HTML Living StandardThe definition of 'crossorigin' in that specification. Living Standard

Browser compatibility

<script crossorigin>

The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.

Update compatibility data on GitHub

Desktop Mobile
Chrome Edge Firefox Internet Explorer Opera Safari Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
crossorigin Chrome

Full support 30

Edge

Full support ≤18

Firefox

Full support 13

IE

No support No

Opera

Full support 12

Safari Full support Yes

Notes'

Full support Yes

Notes'

Notes' The crossorigin attribute was implemented in WebKit in WebKit bug 81438.

WebView Android

Full support Yes

Chrome Android

Full support Yes

Firefox Android

Full support 14

Opera Android

?

Safari iOS

?

Samsung Internet Android

Full support Yes

Legend

Full support  
Full support
No support  
No support
Compatibility unknown  
Compatibility unknown
See implementation notes.'
See implementation notes.


<video crossorigin>

The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.

Update compatibility data on GitHub

Desktop Mobile
Chrome Edge Firefox Internet Explorer Opera Safari Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
crossorigin Chrome

?

Edge

Full support ≤18

Firefox

Full support 12

IE

?

Opera

?

Safari

?

WebView Android

?

Chrome Android

?

Firefox Android

Full support 14

Opera Android

?

Safari iOS

?

Samsung Internet Android

?

Legend

Full support  
Full support
Compatibility unknown  
Compatibility unknown


<link crossorigin>

The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.

Update compatibility data on GitHub

Desktop Mobile
Chrome Edge Firefox Internet Explorer Opera Safari Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
crossorigin Chrome

Full support 25

Edge

Full support 79

Firefox

Full support 18

IE

No support No

Opera

Full support 15

Safari

?

WebView Android

Full support 37

Chrome Android

Full support Yes

Firefox Android

Full support 18

Opera Android

?

Safari iOS

?

Samsung Internet Android

Full support Yes

Legend

Full support  
Full support
No support  
No support
Compatibility unknown  
Compatibility unknown


See also