Question

81

With < script crossorigin='anonymous'>, why is a script blocked by CORS policy?

rated 0 times [ 86] [ 5] / answers: 1 / hits: 75879 / 8 Years ago, fri, december 9, 2016, 12:00:00

With Google Chrome or Firefox, if I try to load the following HTML:

<script crossorigin='anonymous' src='https://stackoverflow.com/foo.js'></script>

I get a CORS error like this:

Access to Script at 'https://stackoverflow.com/foo.js' from origin 'https://stackoverflow.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource...

However, the same tag without the crossorigin='anonymous' attribute works fine (of course generating a 404 error, since foo.js does not exist).

This is surprising, since anonymous is just supposed to prevent sending any credentials, and script tags are not supposed to require CORS. What is causing this, and what should I do?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

khalilb

Add To Favorites

Follow

Total Points: 173

Total Questions: 110

Total Answers: 105

Location: Honduras

Member since Thu, Mar 23, 2023

1 Year ago

answered 8 Years ago miles · Accepted Answer

I was confused about this for a while. Here's how I now understand it:

According to the W3C, there are actually three possible values for the crossorigin attribute: anonymous, use-credentials, and an missing value default that can only be accessed by omitting the attribute. (An empty string, on the other hand, maps to anonymous.) The default value causes the browser to skip CORS entirely, which is the normal behavior I was expecting.

The crossorigin attribute should only be used if we care about getting error information for the script being loaded. Since accessing this information requires a CORS check, the Access-Control-Allow-Origin header must be present on the resource for it to be loaded.