For more tips like this, sign up to the weekly newsletter!

Use crossorigin="anonymous" when fetching public resources

By default, when the browser loads a resource from a different domain, it also sends cookies with the request. Consider this script tag:

<script src="//domain/script.js"></script>

This can include session informations, and other sensitive data, but for public resources, these are unnecessary.

You can set the crossorigin attribute to activate CORS request, and if the server supports it (sending back a matching Access-Control-Allow-Origin header), then you can set it to anonymous so that no cookies will be sent.

<script src="//domain/script.js" crossorigin="anonymous"></script>

For a short summary of the possible setups:

If the server sends an Access-Control-Allow-Origin header:

  • no crossorigin attribute: cookies are sent
  • crossorigin="anonymous": cookes are not sent

If the server does not support CORS:

  • no crossorigin attribute: cookies are sent
  • crossorigin="anonymous": the request is blocked
Try it
References
Learn more: