HTML crossorigin Attribute

Beginner
⏱️ 5 min read
📚 Updated: Jun 2026
🎯 4 Examples
Security & CORS

Introduction

The crossorigin attribute is a valuable feature in HTML that controls how a resource — such as a script, stylesheet, font, image, or media file — is fetched when it comes from a different origin than your page. It enables Cross-Origin Resource Sharing (CORS) so the browser can use the resource safely in APIs like <canvas>, WebGL, and font loading.

What You’ll Learn

01

CORS basics

Why it exists.

02

anonymous

No credentials.

03

use-credentials

Send cookies.

04

script / link

Common uses.

05

crossOrigin

JS property.

06

Server headers

Must allow CORS.

Purpose of crossorigin

The primary purpose of the crossorigin attribute is to opt into CORS when loading a cross-origin resource. CORS is a browser security mechanism that lets servers declare which origins may read their responses. Without CORS, the browser may still display an image or run a script, but JavaScript may be blocked from inspecting the resource (for example, a tainted canvas).

💡
Attribute absent vs present

If you omit crossorigin, the request uses the default non-CORS mode. Add the attribute when you need CORS behavior — for fonts, canvas-safe images, or detailed cross-origin script error reporting.

📝 Syntax

Add crossorigin to supported elements loading cross-origin URLs:

crossorigin.html
<script src="https://cdn.example.com/app.js" crossorigin="anonymous"></script>



<link rel="stylesheet" href="https://cdn.example.com/style.css" crossorigin="anonymous">



<img src="https://cdn.example.com/photo.jpg" alt="Photo" crossorigin="anonymous">

Syntax Rules

  • Only meaningful for cross-origin URLs (different scheme, host, or port).
  • Empty attribute crossorigin or crossorigin="" means anonymous.
  • JavaScript property name is crossOrigin (capital O).
  • The remote server must respond with appropriate CORS headers or the resource may fail to load for CORS purposes.

💎 Values

The crossorigin attribute accepts these CORS settings:

  • anonymous (or empty) — Fetch with CORS but do not send cookies, client certificates, or HTTP authentication credentials.
  • use-credentials — Include credentials such as cookies with the cross-origin request. The server must respond with Access-Control-Allow-Credentials: true and a specific allowed origin (not *).
⚠️
Common mistake

anonymous is not the default when the attribute is omitted. No crossorigin attribute means no CORS mode. You must add the attribute when you want CORS behavior.

crossorigin-values.html
<!-- Anonymous CORS (most common) -->

<script src="https://cdn.example.com/lib.js" crossorigin="anonymous"></script>



<!-- Shorthand for anonymous -->

<script src="https://cdn.example.com/lib.js" crossorigin></script>



<!-- Send cookies / credentials -->

<img src="https://api.example.com/avatar.jpg" alt="Avatar" crossorigin="use-credentials">

⚡ Quick Reference

ValueMarkupBehavior
Anonymous CORScrossorigin="anonymous"CORS request, no credentials
Anonymous shorthandcrossoriginSame as anonymous
With credentialscrossorigin="use-credentials"Sends cookies / auth
No CORS(attribute omitted)Default non-CORS fetch
JavaScriptel.crossOrigin = "anonymous"Set before setting src/href
Font preloadrel="preload" as="font" crossoriginRequired for web fonts

Applicable Elements

ElementSupported?Common use
<script>YesCDN JavaScript, error details
<link>YesStylesheets, preloaded fonts
<img>YesCanvas-safe images, WebGL textures
<video>, <audio>YesCross-origin media with CORS
<iframe>NoUse iframe sandbox / CSP instead

When do you need crossorigin?

ScenarioNeed crossorigin?Typical value
Display a cross-origin image onlyOften noOmit attribute
Draw image to canvas and read pixelsYesanonymous
Preload web fontsYescrossorigin
CDN script with error stack tracesYesanonymous
Private image requiring login cookieYesuse-credentials

Examples Gallery

Script, font preload, image, and JavaScript crossOrigin examples.

Implementation Example

Let’s look at a simple example of how to use the crossorigin attribute in an HTML <script> tag:

index.html
<script src="https://example.com/scripts/app.js" crossorigin="anonymous"></script>
Try It Yourself

How It Works

In this example, crossorigin="anonymous" tells the browser to fetch the script using CORS without credentials. This can improve cross-origin error reporting and is required for some integration scenarios.

Font Preload Example

Web font preloads almost always need crossorigin so the preload matches the CORS mode used by CSS @font-face:

font-preload.html
<link rel="preload" href="https://cdn.example.com/font.woff2" as="font" type="font/woff2" crossorigin>
Try It Yourself

How It Works

Font requests use CORS even on the same origin in many browsers. Matching crossorigin on preload and @font-face avoids wasted downloads.

Image Example

Use crossorigin on images you plan to draw to a canvas or use with WebGL:

cors-image.html
<img src="https://cdn.example.com/photo.jpg" alt="Photo" crossorigin="anonymous" id="photo">



<canvas id="c" width="200" height="133"></canvas>

<script>

  var img = document.getElementById("photo");

  img.onload = function () {

    var ctx = document.getElementById("c").getContext("2d");

    ctx.drawImage(img, 0, 0);

  };

</script>
Try It Yourself

How It Works

Cross-origin images without crossorigin taint the canvas when drawn. Adding crossorigin="anonymous" and CORS headers from the image server keeps the canvas readable.

Dynamic Values with JavaScript

You can dynamically set the crossOrigin property when creating elements in JavaScript. Set it before assigning src or href:

dynamic-crossorigin.html
<script>

  var script = document.createElement("script");

  script.crossOrigin = "anonymous";

  script.src = "https://example.com/scripts/app.js";

  document.body.appendChild(script);

</script>
Try It Yourself

How It Works

In this script, crossOrigin is set on a dynamically created script before src is assigned. Order matters: set CORS mode first, then the URL, then insert the element into the document.

♿ Accessibility & UX

  • Fallback content — If a CORS-protected script or font fails to load, ensure users still get readable text and functional UI.
  • Alt text on imagescrossorigin does not replace meaningful alt descriptions.
  • Don’t block critical CSS — Misconfigured CORS on stylesheets can leave pages unstyled; test CDN headers.
  • Error monitoring — CORS failures may appear as network errors in DevTools; log them in production apps.
  • Performance — Failed font preloads without matching crossorigin waste bandwidth.

🧠 How crossorigin Works

1

Page requests resource

Browser sees crossorigin on script, link, img, or media.

Request
2

CORS mode applied

anonymous or use-credentials controls credential sending.

Mode
3

Server responds with headers

Access-Control-Allow-Origin (and credentials header if needed).

Headers
=

Safe cross-origin use

Canvas, fonts, and scripts can integrate without breaking security rules.

Browser Support

The crossorigin attribute is supported in all modern browsers on script, link, img, audio, and video elements.

HTML5 · Fully supported

Universal CORS attribute

All major browsers honor crossorigin on media-loading elements.

99% Browser support
Google Chrome Fully supported
Full support
Mozilla Firefox Fully supported
Full support
Apple Safari Fully supported
Full support
Microsoft Edge Fully supported
Full support
crossorigin attribute 99% supported

Bottom line: Use crossorigin confidently; verify your CDN or API sends matching CORS response headers.

💡 Best Practices

✅ Do

  • Add crossorigin when loading fonts, canvas images, or CORS scripts
  • Use anonymous for public CDN resources
  • Set crossOrigin in JS before src or href
  • Configure Access-Control-Allow-Origin on the server
  • Match crossorigin on font preload and @font-face

❌ Don’t

  • Assume anonymous is the default when the attribute is omitted
  • Use use-credentials unless the server supports credentialed CORS
  • Expect CORS to work without server-side headers
  • Add crossorigin to same-origin resources unnecessarily
  • Confuse CORS with CSP or cookie SameSite rules
  • Use the crossorigin attribute when loading resources from different origins to enable proper CORS behavior, especially for fonts, canvas, and authenticated assets.
  • Choose anonymous for public CDN files and use-credentials only when cookies or HTTP auth must be sent.
  • Verify CORS headers on the server; the HTML attribute alone is not enough.

Conclusion

The crossorigin attribute is a crucial tool for secure cross-origin resource loading in web applications. By understanding when to opt into CORS and which value to use, you can avoid tainted canvases, broken font preloads, and opaque script errors.

Remember that CORS is a partnership between HTML and server headers. The attribute tells the browser how to request the file; the server must explicitly allow your origin in its response.

Key Takeaways

Knowledge Unlocked

Five truths every developer should know about crossorigin

Bookmark these before loading CDN assets.

5
Core concepts
👤 02

anonymous

No credentials.

Value
🍪 03

use-credentials

Send cookies.

Auth
⚙️ 04

crossOrigin

Capital O in JS.

Script
🌐 05

Server Headers

Allow-Origin.

Required

❓ Frequently Asked Questions

It enables CORS when fetching a resource so the browser can use it in security-sensitive APIs like canvas pixel reads, WebGL, and font loading.
No. Omitting crossorigin means no CORS mode. When the attribute is present, empty or anonymous selects anonymous CORS.
script, link, img, audio, and video when loading external resources.
When the resource requires cookies or HTTP authentication. The server must allow credentials and specify your origin explicitly.
Use element.crossOrigin = "anonymous" or "use-credentials" before setting src or href.
Font fetches use CORS. The preload request must use the same CORS mode as the CSS @font-face request or the browser downloads the font twice.

Load cross-origin resources correctly

Practice crossorigin on scripts, fonts, images, and dynamic JavaScript in the Try It editor.

Try script crossorigin example →

About the author

Mari Selvan M P
Mari Selvan M P 🔗

Developer, cloud engineer, and technical writer

  • Experience 12 years building web and cloud systems
  • Focus Full Stack Development, AWS, and Developer Education

I write practical tutorials so students and working developers can learn by doing—from databases and APIs to deployment on AWS.

4 people found this page helpful