DOC-3233: Add release notes entry for new crossorigin option, and updated script_crossorigin.adoc partial to provide examples.

Author: kemister85

modules/ROOT/pages/8.0-release-notes.adoc

@@ -104,6 +104,23 @@ For information on using Enhanced Skins & Icon Packs, see: xref:enhanced-skins-a
 
 // CCFR here.
 
+=== ScriptLoader cross-origin attribute support
+
+Added configurable cross-origin attribute support to ScriptLoader. This improvement allows setting the `crossorigin` attribute for script loading, which is particularly important for {productname} Cloud deployments where browsers or security software might interfere with Referer headers. The new `crossorigin` option supports values such as "anonymous", following the same pattern as the existing `referrer_policy` option.
+
+This improvement is especially relevant for {productname} {release-version} users utilizing {companyname} Cloud, as it ensures consistent loading behavior for both the main {productname} script and plugins when browsers or security software (like Norton Antivirus) interfere with Referer headers.
+
+Example configuration:
+[source,js]
+----
+tinymce.init({
+  selector: 'textarea',
+  crossorigin: 'anonymous'
+});
+----
+
+For more details, see the xref:tinymce-and-cors.adoc[ScriptLoader cross-origin attribute support] section.
+
 
 [[additions]]
 == Additions

modules/ROOT/partials/configuration/script_crossorigin.adoc

@@ -19,3 +19,34 @@ For a list of valid crossorigin values, see: link:https://developer.mozilla.org/
 ----
 
 NOTE: Both the `+referrerpolicy="origin"+` and `+crossorigin="anonymous"+` attributes are required when loading {productname} from {cloudname}. These work together to ensure proper domain validation and secure cross-origin resource loading.
+
+== Configuration Option: `+crossorigin+`
+
+If using {productname} 8 or later, configure the `+crossorigin+` attribute for dynamically loaded scripts via the ScriptLoader. This is particularly useful when loading plugins or other resources that require cross-origin requests.
+
+*Type:* `+String+`
+
+*Default value:* `+''+`
+
+*Possible values:* `+'anonymous'+`, `+'use-credentials'+`, `+''+`
+
+=== Example: Using the configuration option
+
+[source,js]
+----
+tinymce.init({
+  selector: 'textarea',
+  crossorigin: 'anonymous'  // Applied to all scripts loaded via ScriptLoader
+});
+----
+
+[TIP]
+====
+* When using {cloudname}, setting `+crossorigin="anonymous"+` in the configuration ensures consistent behavior between the main script and dynamically loaded plugins.
+* The value set in the configuration applies to all resources loaded through ScriptLoader.
+* Using `+'anonymous'+` sends the Origin header without credentials.
+* Using `+'use-credentials'+` sends the Origin header with credentials, which is **not** recommended for most use cases.
+* An empty string or omitting the option will not set the crossorigin attribute on dynamically loaded scripts.
+====
+
+For more details on the crossorigin attribute, see: link:https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin[MDN Web Docs - HTML attribute: crossorigin].