What is the HTML crossorigin attribute ? (CORS policy)

About

crossorigin is an attribute that set the mode of the request to an HTTP CORS Request.

Its value defines further the CORS policy.

It can be used on every html elements that fetch resources from a cross-origin Url.

Example

With the script element

<script 
   src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" 
   integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" 
   crossorigin="anonymous" 
   defer="true">
</script>

where:

• HTML - Integrity attribute (SRI | Source Resource Integrity)
• HTML - Defer attribute

Syntax

<tag crossorigin=value/>

where:

• tag is one of the fetch HTML tag
• value is one of:
  • anonymous - CORS requests will have the mode set to same-origin.
  • use-credentials - CORS requests will have the mode set to include.

If the attribute is missing, the CORS request has the No CORS mode.

¹⁾

Documentation

• https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin
• https://html.spec.whatwg.org/multipage/semantics.html#attr-link-crossorigin