New in HTML5.

<img crossorigin="">

Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. Learn more
Attribute of
HTML Tags Guide To Adding Images To Your Web Documents
What does <img crossorigin=""> do?
Indicates that CORS headers should be used in the HTTP request, and specifies whether or not to use credentials.

Code Example

<img src="" id="external-flamingo" crossorigin="anonymous">

Cross-origin images and the canvas element

The crossorigin attribute specifies how cross-origin images (images that violate the same origin policy) are treated. This is relevant in JavaScript web apps that makes use of the <canvas> element.

What is the same-origin policy?

The same-origin policy is a browser security policy that restricts on-page scripts from accessing or posting data to resources from a different host, on a different port, or with a different protocol than the current page. This is a required browser security feature that helps prevent third-party applications from stealing end-user data. A cross-origin resource, then, is a resource (file, document, image, script) which violates this policy by coming from a different host (domain) or by being accessed on a different port or with a different. Cross-origin resources are used all the time — hotlinked images, third-party libraries scripts like JQuery, resources served from Content Delivery Networks. These are all fine, because they are linked from the document source, and imported into the rendered document. The document itself can access cross-origin resources. However, scripts cannot access cross-origin resources. This is because a script could send data while accessing a cross-origin resource. (This policy does not stop scripts from all malicious behavior, but it ensures that user data will only be sent to resources controlled by the domain of the current page. If you, as a user, trust the domain, you can be sure your data isn’t be sent to a nefarious third-party.)

The <canvas> element and cross-origin resources

The HTML5 <canvas> element provides a panel for rendering JavaScript-generated images. On-page scripts can write visual data into a <canvas> element and, normally, read data out of one as well. However, if a cross-origin resource (such as a third-party script or a hot-linked image) is used to write information to a <canvas>, then the <canvas> becomes tainted. A tainted canvas can still be written to, but it cannot be read from. Attempts to read data back from a tainted canvas will result in a security error.

CORS and the crossorigin attribute

CORS, or Cross Origin Resource Sharing, is a method of accessing cross-origin resources safely. There are two parts to successful cross-origin resource sharing — proper resource headers from the server, and proper request headers from the client. To learn about adding CORS-enabled resource header, see this article about Server Side Access Control. Adding appropriate request headers for images is as simple as adding the crossorigin attribute to the <img> element. If your browser supports CORS, using the crossorigin attribute (with any value) will generate the appropriate request headers.

Adam is a technical writer who specializes in developer documentation and tutorials.

Browser Support for crossorigin