DOC-3233:Refactor CORS documentation: replace script_crossorigin.adoc with crossorigin.adoc for improved clarity and organization.

kemister85 · kemister85 · commit 1277c5148af4 · 2025-07-01T15:39:16.000+10:00
diff --git a/modules/ROOT/pages/tinymce-and-cors.adoc b/modules/ROOT/pages/tinymce-and-cors.adoc
@@ -5,7 +5,7 @@
 
 == Cross-Origin Resource Sharing related options
 
-include::partial$configuration/script_crossorigin.adoc[leveloffset=+1]
+include::partial$configuration/crossorigin.adoc[leveloffset=+1]
 
 include::partial$configuration/referrer_policy.adoc[leveloffset=+1]
 
diff --git a/modules/ROOT/partials/configuration/crossorigin.adoc b/modules/ROOT/partials/configuration/crossorigin.adoc
@@ -0,0 +1,89 @@
+[[crossorigin]]
+== `+crossorigin+`
+
+The `+crossorigin+` option controls how {productname} handles cross-origin resource loading. This option accepts a function that determines the appropriate crossorigin attribute value based on the resource being loaded.
+
+*Type:* `+(url: string, resourceType: 'script' | 'stylesheet') => string+`
+
+*Default value:*
+
+* For {cloudname}: A function that returns `+'anonymous'+` for cloud resources and omits the attribute for other resources.
+* For self-hosted: A function that **omits** the crossorigin attribute for all resources.
+
+*Possible values:* A function that returns one of:
+
+* `+'anonymous'+` - Sets crossorigin="anonymous".
+* `+'use-credentials'+` - Sets crossorigin="use-credentials".
+* `+''+` (empty string) - Omits the crossorigin attribute entirely.
+
+=== Example: Basic configuration
+
+[source,js]
+----
+tinymce.init({
+  selector: 'textarea',
+  crossorigin: (url, resourceType) => {
+    // Return 'anonymous' for all resources
+    return 'anonymous';
+  }
+});
+----
+
+=== Example: Conditional crossorigin attributes
+
+[source,js]
+----
+tinymce.init({
+  selector: 'textarea',
+  crossorigin: (url, resourceType) => {
+    if (url.startsWith('https://your-domain.com')) {
+      return ''; // No crossorigin for same-origin resources
+    }
+    return 'anonymous'; // Use anonymous for cross-origin resources
+  }
+});
+----
+
+[IMPORTANT]
+====
+When loading {productname} from {cloudname}:
+
+* The initial script tag must include `+crossorigin="anonymous"+` and `+referrerpolicy="origin"+`.
+* Example:
++
+[source,html,subs="attributes+"]
+----
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
+----
+====
+
+[TIP]
+====
+* The crossorigin function runs for both scripts and stylesheets loaded by {productname}.
+* Using `+'anonymous'+` sends the Origin header without credentials.
+* Using `+'use-credentials'+` sends the Origin header with credentials (not recommended for most cases).
+* An empty string `''` means no crossorigin attribute will be set, as it omits the attribute entirely for the resource.
+* For stylesheet resources, the `+content_css_cors+` option takes precedence over the `+crossorigin+` function. See: xref:add-css-options.adoc#content_css_cors[content_css_cors] for details about cross-origin stylesheet loading.
+====
+
+=== Setting a global crossorigin function
+
+The crossorigin function can also be set globally using `+tinymce.overrideDefaults()+`:
+
+[source,js]
+----
+tinymce.overrideDefaults({
+  ...tinymce.defaultOptions,  // Preserve existing defaults
+  crossorigin: (url, resourceType) => {
+    // Your custom crossorigin logic
+    return 'anonymous';
+  }
+});
+----
+
+[IMPORTANT]
+====
+When using {cloudname}, preserving the existing defaults is required. Always include `+...tinymce.defaultOptions+` when using `+overrideDefaults+`.
+====
+
+For more details on the crossorigin attribute, see: link:https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin[MDN Web Docs - HTML attribute: crossorigin].
diff --git a/modules/ROOT/partials/configuration/script_crossorigin.adoc b/modules/ROOT/partials/configuration/script_crossorigin.adoc
