The crossorigin attribute is a valuable feature in HTML that controls how a resource — such as a script, stylesheet, font, image, or media file — is fetched when it comes from a different origin than your page. It enables Cross-Origin Resource Sharing (CORS) so the browser can use the resource safely in APIs like <canvas>, WebGL, and font loading.
What You’ll Learn
01
CORS basics
Why it exists.
02
anonymous
No credentials.
03
use-credentials
Send cookies.
04
script / link
Common uses.
05
crossOrigin
JS property.
06
Server headers
Must allow CORS.
Fundamentals
Purpose of crossorigin
The primary purpose of the crossorigin attribute is to opt into CORS when loading a cross-origin resource. CORS is a browser security mechanism that lets servers declare which origins may read their responses. Without CORS, the browser may still display an image or run a script, but JavaScript may be blocked from inspecting the resource (for example, a tainted canvas).
💡
Attribute absent vs present
If you omit crossorigin, the request uses the default non-CORS mode. Add the attribute when you need CORS behavior — for fonts, canvas-safe images, or detailed cross-origin script error reporting.
Foundation
📝 Syntax
Add crossorigin to supported elements loading cross-origin URLs:
Only meaningful for cross-origin URLs (different scheme, host, or port).
Empty attribute crossorigin or crossorigin="" means anonymous.
JavaScript property name is crossOrigin (capital O).
The remote server must respond with appropriate CORS headers or the resource may fail to load for CORS purposes.
Reference
💎 Values
The crossorigin attribute accepts these CORS settings:
anonymous (or empty) — Fetch with CORS but do not send cookies, client certificates, or HTTP authentication credentials.
use-credentials — Include credentials such as cookies with the cross-origin request. The server must respond with Access-Control-Allow-Credentials: true and a specific allowed origin (not *).
⚠️
Common mistake
anonymous is not the default when the attribute is omitted. No crossorigin attribute means no CORS mode. You must add the attribute when you want CORS behavior.
crossorigin-values.html
<!-- Anonymous CORS (most common) --><scriptsrc="https://cdn.example.com/lib.js"crossorigin="anonymous"></script><!-- Shorthand for anonymous --><scriptsrc="https://cdn.example.com/lib.js"crossorigin></script><!-- Send cookies / credentials --><imgsrc="https://api.example.com/avatar.jpg"alt="Avatar"crossorigin="use-credentials">
Cheat Sheet
⚡ Quick Reference
Value
Markup
Behavior
Anonymous CORS
crossorigin="anonymous"
CORS request, no credentials
Anonymous shorthand
crossorigin
Same as anonymous
With credentials
crossorigin="use-credentials"
Sends cookies / auth
No CORS
(attribute omitted)
Default non-CORS fetch
JavaScript
el.crossOrigin = "anonymous"
Set before setting src/href
Font preload
rel="preload" as="font" crossorigin
Required for web fonts
Scope
Applicable Elements
Element
Supported?
Common use
<script>
Yes
CDN JavaScript, error details
<link>
Yes
Stylesheets, preloaded fonts
<img>
Yes
Canvas-safe images, WebGL textures
<video>, <audio>
Yes
Cross-origin media with CORS
<iframe>
No
Use iframe sandbox / CSP instead
Compare
When do you need crossorigin?
Scenario
Need crossorigin?
Typical value
Display a cross-origin image only
Often no
Omit attribute
Draw image to canvas and read pixels
Yes
anonymous
Preload web fonts
Yes
crossorigin
CDN script with error stack traces
Yes
anonymous
Private image requiring login cookie
Yes
use-credentials
Hands-On
Examples Gallery
Script, font preload, image, and JavaScript crossOrigin examples.
Implementation Example
Let’s look at a simple example of how to use the crossorigin attribute in an HTML <script> tag:
The browser requests app.js with CORS headers. No cookies are sent. The CDN must respond with Access-Control-Allow-Origin for your site.
How It Works
In this example, crossorigin="anonymous" tells the browser to fetch the script using CORS without credentials. This can improve cross-origin error reporting and is required for some integration scenarios.
Font Preload Example
Web font preloads almost always need crossorigin so the preload matches the CORS mode used by CSS @font-face:
Without CORS, drawImage works but getImageData throws a security error on a tainted canvas. With CORS and proper server headers, pixel data can be read.
How It Works
Cross-origin images without crossorigin taint the canvas when drawn. Adding crossorigin="anonymous" and CORS headers from the image server keeps the canvas readable.
Dynamic Values with JavaScript
You can dynamically set the crossOrigin property when creating elements in JavaScript. Set it before assigning src or href:
In this script, crossOrigin is set on a dynamically created script before src is assigned. Order matters: set CORS mode first, then the URL, then insert the element into the document.
A11y
♿ Accessibility & UX
Fallback content — If a CORS-protected script or font fails to load, ensure users still get readable text and functional UI.
Alt text on images — crossorigin does not replace meaningful alt descriptions.
Don’t block critical CSS — Misconfigured CORS on stylesheets can leave pages unstyled; test CDN headers.
Error monitoring — CORS failures may appear as network errors in DevTools; log them in production apps.
Performance — Failed font preloads without matching crossorigin waste bandwidth.
🧠 How crossorigin Works
1
Page requests resource
Browser sees crossorigin on script, link, img, or media.
Request
2
CORS mode applied
anonymous or use-credentials controls credential sending.
Mode
3
Server responds with headers
Access-Control-Allow-Origin (and credentials header if needed).
Headers
=
🔒
Safe cross-origin use
Canvas, fonts, and scripts can integrate without breaking security rules.
Compatibility
Browser Support
The crossorigin attribute is supported in all modern browsers on script, link, img, audio, and video elements.
✓ HTML5 · Fully supported
Universal CORS attribute
All major browsers honor crossorigin on media-loading elements.
99%Browser support
Google ChromeFully supported
Full support
Mozilla FirefoxFully supported
Full support
Apple SafariFully supported
Full support
Microsoft EdgeFully supported
Full support
crossorigin attribute99% supported
Bottom line: Use crossorigin confidently; verify your CDN or API sends matching CORS response headers.
Pro Tips
💡 Best Practices
✅ Do
Add crossorigin when loading fonts, canvas images, or CORS scripts
Use anonymous for public CDN resources
Set crossOrigin in JS before src or href
Configure Access-Control-Allow-Origin on the server
Match crossorigin on font preload and @font-face
❌ Don’t
Assume anonymous is the default when the attribute is omitted
Use use-credentials unless the server supports credentialed CORS
Expect CORS to work without server-side headers
Add crossorigin to same-origin resources unnecessarily
Confuse CORS with CSP or cookie SameSite rules
Use the crossorigin attribute when loading resources from different origins to enable proper CORS behavior, especially for fonts, canvas, and authenticated assets.
Choose anonymous for public CDN files and use-credentials only when cookies or HTTP auth must be sent.
Verify CORS headers on the server; the HTML attribute alone is not enough.
Wrap Up
Conclusion
The crossorigin attribute is a crucial tool for secure cross-origin resource loading in web applications. By understanding when to opt into CORS and which value to use, you can avoid tainted canvases, broken font preloads, and opaque script errors.
Remember that CORS is a partnership between HTML and server headers. The attribute tells the browser how to request the file; the server must explicitly allow your origin in its response.