THE WORLD'S LARGEST WEB DEVELOPER SITE

HTML <script> crossorigin Attribute

❮ HTML <script> tag

Example

Here is a link to a .js file on another server. Here we use both the integrity and crossorigin attributes:

<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"
integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo"
crossorigin="anonymous">
</script>

Definition and Usage

The crossorigin attribute sets the mode of the request to an HTTP CORS Request.

Web pages often make requests to load resources on other servers. Here is where CORS comes in.

A cross-origin request is a request for a resource (e.g. style sheets, iframes, images, fonts, or scripts) from another domain.

CORS is used to manage cross-origin requests.

CORS stands for Cross-Origin Resource Sharing, and is a mechanism that allows resources on a web page to be requested from another domain outside their own domain. It defines a way of how a browser and server can interact to determine whether it is safe to allow the cross-origin request. CORS allows servers to specify who can access the assets on the server, among many other things.

Tip: The opposite of cross-origin requests is same-origin requests. This means that a web page can only interact with other documents that are also on the same server. This policy enforces that documents that interact with each other must have the same origin (domain).

Tip: Also look at the integrity attribute.


Browser Support

The numbers in the table specify the first browser version that fully supports the attribute.

Attribute
crossorigin 30.0 18.0 13.0 13.0 12.1

Syntax

<script crossorigin="anonymous|use-credentials">

Attribute Values

Value Description
anonymous
use-credentials
Specifies the mode of the CORS request:
  • anonymous - A cross-origin request is performed. No credentials are sent
  • use-credentials - A cross-origin request is performed. Credentials are sent (e.g. a cookie, a certificate, a HTTP Basic authentication)

❮ HTML <script> tag