For more tips like this, sign up to the weekly newsletter!
Use crossorigin="anonymous" when fetching public resources
By default, when the browser loads a resource from a different domain, it also sends cookies with the request. Consider this script tag:
<script src="//domain/script.js"></script>
This can include session informations, and other sensitive data, but for public resources, these are unnecessary.
You can set the crossorigin
attribute to activate CORS request, and if the server supports it (sending back a matching Access-Control-Allow-Origin
header), then you can set it to anonymous
so that no cookies will be sent.
<script src="//domain/script.js" crossorigin="anonymous"></script>
For a short summary of the possible setups:
If the server sends an Access-Control-Allow-Origin
header:
- no crossorigin attribute: cookies are sent
crossorigin="anonymous"
: cookes are not sent
If the server does not support CORS:
- no crossorigin attribute: cookies are sent
crossorigin="anonymous"
: the request is blocked