DOC-3147: Add crossorigin attribute to all script tags for CORS compliance. (#3762)

* DOC-3147: Add crossorigin attribute to script tags for CORS compliance.

* DOC-3233: Add release notes entry for new crossorigin option, and updated script_crossorigin.adoc partial to provide examples.

* DOC-3233:Refactor CORS documentation: replace script_crossorigin.adoc with crossorigin.adoc for improved clarity and organization.

* DOC-3233: Update crossorigin function in release notes to match new implementaiton standard.

* DOC-3147: Refactor crossorigin examples in documentation to clarify attribute handling and provide options for omitting the attribute.

* DOC-3147: Fix indent issues.

* DOC-3147: Update scripttag.png file to include crossorigin.

* Update modules/ROOT/partials/configuration/crossorigin.adoc

* Update modules/ROOT/partials/configuration/crossorigin.adoc

* Update modules/ROOT/partials/configuration/crossorigin.adoc

* Update modules/ROOT/partials/configuration/crossorigin.adoc

* Update modules/ROOT/pages/8.0-release-notes.adoc

* Update modules/ROOT/pages/editor-and-features.adoc

Author: kemister85

modules/ROOT/images/scripttag.png

@@ -254,6 +254,39 @@ For information on using Enhanced Skins & Icon Packs, see: xref:enhanced-skins-a
 
 {productname} {release-version} also includes the following improvement<s>:
 
+=== Enhanced cross-origin resource handling
+
+Added a new function-based `crossorigin` configuration option that provides granular control over cross-origin resource loading. The function receives the resource URL and type (script or stylesheet) as parameters and can return 'anonymous', 'use-credentials', or undefined to control the crossorigin attribute.
+
+.Example: Setting `+crossorigin="anonymous"+` to script.
+[source,html,subs="attributes+"]
+----
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
+----
+Or;
+
+.Example: Setting reusable constant function.
+[source,js]
+----
+const crossOriginFunction = (url, resourceType) => {
+    // Returning 'anonymous' or 'use-credentials' here would explicitly set the attribute
+    return 'anonymous';
+    // return 'use-credentials';
+    // return undefined; // Omits the 'crossorigin' attribute for all resources by returning undefined 
+};
+
+tinymce.init({
+  selector: "textarea",
+  crossorigin: crossOriginFunction
+});
+----
+
+For more details, see: xref:configure-cross-origin-resource-loading.adoc#crossorigin[crossorigin].
+
+This improvement ensures consistent resource loading behavior across different deployment scenarios and provides better control over CORS settings for both scripts and stylesheets.
+
+For more details, see xref:tinymce-and-cors.adoc#crossorigin[crossorigin configuration option] documentation.
+
 === Tooltips can now be closed by pressing the `escape` key.
 // #TINY-12054
 
@@ -334,6 +367,7 @@ Split buttons in {productname} {release-version} now render as two independent,
 
 Previously, menu items and tooltips containing three consecutive periods (`...`) were read aloud by the JAWS screen reader as "dot dot dot," which could confuse users relying on assistive technologies. To enhance accessibility, the `translate` API in {productname} {release-version} now automatically replaces three dots with the typographic ellipsis character (`…`) across all translations. This update ensures a consistent visual appearance while improving screen reader behavior, as the ellipsis character is not read aloud. The change is implemented directly in the translation function, ensuring comprehensive coverage across all languages.
 
+
 [[additions]]
 == Additions
 

modules/ROOT/pages/8.0-release-notes.adoc

@@ -198,7 +198,8 @@ The following example is a basic {productname} configuration.
   <script
     type="text/javascript"
     src='{cdnurl}'
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script type="text/javascript">
   tinymce.init({

modules/ROOT/pages/basic-setup.adoc

@@ -32,7 +32,7 @@ For example:
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 In this case, the editor will be in a **read-only** state, and a notification appears stating: **"A valid API key is required to continue using {productname}. Please alert the admin to check the current API key. Click here to learn more."**
@@ -47,7 +47,7 @@ For example: if your API is `+abcd1234+`:
 +
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 +
 . Check the `+apiKey+` provided in the script tag:
@@ -82,7 +82,7 @@ For example: if your API is `+abcd1234+`:
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 To retrieve your API key, or to sign up for an API key, visit: link:{accountsignup}/[{cloudname}].

modules/ROOT/pages/cloud-troubleshooting.adoc

@@ -20,14 +20,15 @@ The following example adds a script tag into the application that inserts the co
 
 [source,html,subs="attributes+"]
 ----
-<script src="{cdnurl}" referrerpolicy="origin"></script>
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [cols="1,2,12",options="header"]
 |===
 | |Value |Description
 |1 |no-api-key |Replace with your api key
 |2 |origin |A `+referrerpolicy+` specifies how much of the current page's URL is sent in the `+Referer+` header when the browser fetches page resources (for example, the {productname} editor). The use of the `+Referer+` header ensures API keys are only used on domains registered to their owners. We only care about the domain portion however (similar to the operation of `+Origin+` header), so for improved performance and privacy always set the `+referrerpolicy+` to `+origin+` when requesting {cloudname} resources.
+|3 |anonymous |the `+crossorigin="anonymous"+` attribute is required on all script tags loading {productname} from {cloudname}. This attribute ensures consistent Origin header behavior for license key validation and improves security for cross-origin script loading.
 |===
 
 image::scripttag.png[Script Tag Description]
@@ -79,13 +80,15 @@ Migrating from a self-hosted environment to {cloudname} is easy. Remove the exis
 
 NOTE: The script tag typically references `+tinymce.min.js+` hosted within the application or available at a legacy CDN.
 
-Replace the script tag with the following:
+Replace the script tag with the following, making sure to include both required attributes (`referrerpolicy` and `crossorigin`):
 
 [source,html,subs="attributes+"]
 ----
-<script src="{cdnurl}" referrerpolicy="origin"></script>
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
+NOTE: When migrating to {cloudname}, both the `referrerpolicy="origin"` and `crossorigin="anonymous"` attributes are required for optimal performance and cross-browser functionality.
+
 === Step 2: Update custom plugin paths
 
 Reference xref:editor-important-options.adoc#external_plugins[external_plugins] to ensure custom plugins or modified plugins continue to function in the {cloudname} deployment.

modules/ROOT/pages/editor-and-features.adoc

@@ -10,21 +10,21 @@ The example below shows the default way to load {productname} {productmajorversi
 
 [source,html,subs="attributes+"]
 ----
-<script src="{cdnurl}" referrerpolicy="origin"></script>
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 To load a specific version of {productname} {productmajorversion} other than the latest release, replace the `{productmajorversion}` in the URL with the desired version. For example, to load a minor version such as {productname} `{productmajorversion}.1`, use the following URL:
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}.1/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}.1/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 To load a specific patch version, replace the `{productmajorversion}` in the URL with the desired patch version. For example, to load {productname} `{productmajorversion}.1.2`, use the following URL:
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}.1.2/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}.1.2/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [TIP]
@@ -55,7 +55,7 @@ This channel deploys the latest release of {productname} that has passed our qua
 
 [source,html,subs="attributes+"]
 ----
-<script src="{cdnurl}" referrerpolicy="origin"></script>
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [#{productmajorversion}-testing-release-channel]
@@ -68,7 +68,7 @@ This channel deploys the current *release candidate* for the `{productmajorversi
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}-testing/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}-testing/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [#{productmajorversion}-dev-release-channel]
@@ -86,7 +86,7 @@ The current version of {productname} available on the `{productmajorversion}-dev
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}-dev/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}-dev/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 For more details, check out the xref:editor-and-features.adoc[{productname} editor via {cloudname}].
@@ -106,7 +106,7 @@ The `plugins.min.js` script loads every premium plugin the API key is entitled t
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/plugins.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/plugins.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 === `plugins.min.js` with Exclusions for Specific Plugins
@@ -115,7 +115,7 @@ To exclude specific premium plugins from `plugins.min.js` because you are self-h
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/plugins.min.js?mentions=sdk&powerpaste=sdk" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/plugins.min.js?mentions=sdk&powerpaste=sdk" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [NOTE]
@@ -131,7 +131,7 @@ The `cloud-plugins.min.js` script allows loading of specific premium plugins fro
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/cloud-plugins.min.js?mentions&powerpaste&advcode" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/cloud-plugins.min.js?mentions&powerpaste&advcode" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [NOTE]

modules/ROOT/pages/editor-plugin-version.adoc

@@ -30,7 +30,8 @@ Inside the `public` folder where you created the `index.html` file add the HTML
   <title>TinyMCE with Export to PDF</title>
   <script 
     src="https://cdn.tiny.cloud/1/no-api-key/tinymce/8/tinymce.min.js"
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script>
     tinymce.init({

modules/ROOT/pages/export-to-pdf-with-jwt-authentication-nodejs.adoc

@@ -29,7 +29,8 @@ Inside the `public` folder where you created the `index.html` file add the HTML
   <title>TinyMCE with PDF Export</title>
   <script 
     src="https://cdn.tiny.cloud/1/no-api-key/tinymce/8/tinymce.min.js"
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script>
     tinymce.init({

modules/ROOT/pages/export-to-pdf-with-jwt-authentication-php.adoc

@@ -30,7 +30,8 @@ Inside the `public` folder where you created the `index.html` file add the HTML
   <title>TinyMCE with Export to Word</title>
   <script 
     src="https://cdn.tiny.cloud/1/no-api-key/tinymce/8/tinymce.min.js"
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script>
     tinymce.init({

modules/ROOT/pages/export-to-word-with-jwt-authentication-nodejs.adoc

@@ -29,7 +29,8 @@ Inside the `public` folder where you created the `index.html` file add the HTML
   <title>TinyMCE with Word Export</title>
   <script 
     src="https://cdn.tiny.cloud/1/no-api-key/tinymce/8/tinymce.min.js"
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script>
     tinymce.init({