DOC-3147: Add crossorigin attribute to all script tags for CORS compliance.

modules/ROOT/pages/8.0-release-notes.adoc

@@ -104,6 +104,39 @@ For information on using Enhanced Skins & Icon Packs, see: xref:enhanced-skins-a
 
 // CCFR here.
 
+=== Enhanced cross-origin resource handling
+
+Added a new function-based `crossorigin` configuration option that provides granular control over cross-origin resource loading. The function receives the resource URL and type (script or stylesheet) as parameters and can return 'anonymous', 'use-credentials', or undefined to control the crossorigin attribute.
+
+.Example: Setting `+crossorigin="anonymous"+` to script.
+[source,html,subs="attributes+"]
+----
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
+----
+Or;
+
+.Example: Setting reusable constant function.
+[source,js]
+----
+const crossOriginFunction = (url, resourceType) => {
+    // Returning 'anonymous' or 'use-credentials' here would explicitly set the attribute
+    return 'anonymous';
+    // return 'use-credentials';
+    // return undefined; // Omits the 'crossorigin' attribute for all resources by returning undefined 
+};
+
+tinymce.init({
+  selector: "textarea",
+  crossorigin: crossOriginFunction
+});
+----
+
+For more details, see: xref:configure-cross-origin-resource-loading.adoc#crossorigin[crossorigin].
+
+This improvement ensures consistent resource loading behavior across different deployment scenarios and provides better control over CORS settings for both scripts and stylesheets.
+
+For more details, see the xref:tinymce-and-cors.adoc#crossorigin[crossorigin configuration option] documentation.
+
 
 [[additions]]
 == Additions

modules/ROOT/pages/basic-setup.adoc

@@ -198,7 +198,8 @@ The following example is a basic {productname} configuration.
   <script
     type="text/javascript"
     src='{cdnurl}'
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script type="text/javascript">
   tinymce.init({

modules/ROOT/pages/cloud-troubleshooting.adoc

@@ -32,7 +32,7 @@ For example:
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 In this case, the editor will be in a **read-only** state, and a notification appears stating: **"A valid API key is required to continue using {productname}. Please alert the admin to check the current API key. Click here to learn more."**
@@ -47,7 +47,7 @@ For example: if your API is `+abcd1234+`:
 +
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 +
 . Check the `+apiKey+` provided in the script tag:
@@ -82,7 +82,7 @@ For example: if your API is `+abcd1234+`:
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/abcd1234/tinymce/{productmajorversion}/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 To retrieve your API key, or to sign up for an API key, visit: link:{accountsignup}/[{cloudname}].

modules/ROOT/pages/editor-and-features.adoc

@@ -20,14 +20,15 @@ The following example adds a script tag into the application that inserts the co
 
 [source,html,subs="attributes+"]
 ----
-<script src="{cdnurl}" referrerpolicy="origin"></script>
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [cols="1,2,12",options="header"]
 |===
 | |Value |Description
 |1 |no-api-key |Replace with your api key
 |2 |origin |A `+referrerpolicy+` specifies how much of the current page's URL is sent in the `+Referer+` header when the browser fetches page resources (for example, the {productname} editor). The use of the `+Referer+` header ensures API keys are only used on domains registered to their owners. We only care about the domain portion however (similar to the operation of `+Origin+` header), so for improved performance and privacy always set the `+referrerpolicy+` to `+origin+` when requesting {cloudname} resources.
+|3 |anonymous |the `+crossorigin="anonymous"+` attribute is required on all script tags loading {productname} from {cloudname}. This attribute ensures consistent Origin header behavior for license key validation and improves security for cross-origin script loading.
 |===
 
 image::scripttag.png[Script Tag Description]
@@ -79,13 +80,15 @@ Migrating from a self-hosted environment to {cloudname} is easy. Remove the exis
 
 NOTE: The script tag typically references `+tinymce.min.js+` hosted within the application or available at a legacy CDN.
 
-Replace the script tag with the following:
+Replace the script tag with the following, making sure to include both required attributes (`referrerpolicy` and `crossorigin`):
 
 [source,html,subs="attributes+"]
 ----
-<script src="{cdnurl}" referrerpolicy="origin"></script>
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
+NOTE: When migrating to {cloudname}, both the `referrerpolicy="origin"` and `crossorigin="anonymous"` attributes are required for optimal performance and cross-browser functionality.
+
 === Step 2: Update custom plugin paths
 
 Reference xref:editor-important-options.adoc#external_plugins[external_plugins] to ensure custom plugins or modified plugins continue to function in the {cloudname} deployment.

modules/ROOT/pages/editor-plugin-version.adoc

@@ -10,21 +10,21 @@ The example below shows the default way to load {productname} {productmajorversi
 
 [source,html,subs="attributes+"]
 ----
-<script src="{cdnurl}" referrerpolicy="origin"></script>
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 To load a specific version of {productname} {productmajorversion} other than the latest release, replace the `{productmajorversion}` in the URL with the desired version. For example, to load a minor version such as {productname} `{productmajorversion}.1`, use the following URL:
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}.1/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}.1/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 To load a specific patch version, replace the `{productmajorversion}` in the URL with the desired patch version. For example, to load {productname} `{productmajorversion}.1.2`, use the following URL:
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}.1.2/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}.1.2/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [TIP]
@@ -55,7 +55,7 @@ This channel deploys the latest release of {productname} that has passed our qua
 
 [source,html,subs="attributes+"]
 ----
-<script src="{cdnurl}" referrerpolicy="origin"></script>
+<script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [#{productmajorversion}-testing-release-channel]
@@ -68,7 +68,7 @@ This channel deploys the current *release candidate* for the `{productmajorversi
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}-testing/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}-testing/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [#{productmajorversion}-dev-release-channel]
@@ -86,7 +86,7 @@ The current version of {productname} available on the `{productmajorversion}-dev
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}-dev/tinymce.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}-dev/tinymce.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 For more details, check out the xref:editor-and-features.adoc[{productname} editor via {cloudname}].
@@ -106,7 +106,7 @@ The `plugins.min.js` script loads every premium plugin the API key is entitled t
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/plugins.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/plugins.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 === `plugins.min.js` with Exclusions for Specific Plugins
@@ -115,7 +115,7 @@ To exclude specific premium plugins from `plugins.min.js` because you are self-h
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/plugins.min.js?mentions=sdk&powerpaste=sdk" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/plugins.min.js?mentions=sdk&powerpaste=sdk" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [NOTE]
@@ -131,7 +131,7 @@ The `cloud-plugins.min.js` script allows loading of specific premium plugins fro
 
 [source,html,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/cloud-plugins.min.js?mentions&powerpaste&advcode" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/api-key/tinymce/{productmajorversion}/cloud-plugins.min.js?mentions&powerpaste&advcode" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 [NOTE]

modules/ROOT/pages/export-to-pdf-with-jwt-authentication-nodejs.adoc

@@ -30,7 +30,8 @@ Inside the `public` folder where you created the `index.html` file add the HTML
   <title>TinyMCE with Export to PDF</title>
   <script 
     src="https://cdn.tiny.cloud/1/no-api-key/tinymce/8/tinymce.min.js"
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script>
     tinymce.init({

modules/ROOT/pages/export-to-pdf-with-jwt-authentication-php.adoc

@@ -29,7 +29,8 @@ Inside the `public` folder where you created the `index.html` file add the HTML
   <title>TinyMCE with PDF Export</title>
   <script 
     src="https://cdn.tiny.cloud/1/no-api-key/tinymce/8/tinymce.min.js"
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script>
     tinymce.init({

modules/ROOT/pages/export-to-word-with-jwt-authentication-nodejs.adoc

@@ -30,7 +30,8 @@ Inside the `public` folder where you created the `index.html` file add the HTML
   <title>TinyMCE with Export to Word</title>
   <script 
     src="https://cdn.tiny.cloud/1/no-api-key/tinymce/8/tinymce.min.js"
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script>
     tinymce.init({

modules/ROOT/pages/export-to-word-with-jwt-authentication-php.adoc

@@ -29,7 +29,8 @@ Inside the `public` folder where you created the `index.html` file add the HTML
   <title>TinyMCE with Word Export</title>
   <script 
     src="https://cdn.tiny.cloud/1/no-api-key/tinymce/8/tinymce.min.js"
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script>
     tinymce.init({

modules/ROOT/pages/features-only.adoc

@@ -14,7 +14,7 @@ Add the following script in the webpage once the script tag to load {productname
 
 [source,js,subs="attributes+"]
 ----
-<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}/plugins.min.js" referrerpolicy="origin"></script>
+<script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}/plugins.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
 ----
 
 == Step 2: Specify purchased TinyMCE plugins and toolbar buttons
@@ -37,7 +37,7 @@ The following is a complete example, where:
 <html>
    <head>
       <script src="https://your_server/tinymce.min.js"></script>
-      <script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}/plugins.min.js" referrerpolicy="origin"></script>
+      <script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}/plugins.min.js" referrerpolicy="origin" crossorigin="anonymous"></script>
    </head>
    <body>
       <textarea><p>test textarea</p></textarea>

modules/ROOT/pages/import-from-word-with-jwt-authentication-nodejs.adoc

@@ -30,7 +30,8 @@ Inside the `public` folder where you created the `index.html` file add the HTML
   <title>TinyMCE with Import from Word</title>
   <script 
     src="https://cdn.tiny.cloud/1/no-api-key/tinymce/8/tinymce.min.js"
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script>
     tinymce.init({

modules/ROOT/pages/import-from-word-with-jwt-authentication-php.adoc

@@ -29,7 +29,8 @@ Inside the `public` folder where you created the `index.html` file add the HTML
   <title>TinyMCE with Word Import</title>
   <script 
     src="https://cdn.tiny.cloud/1/no-api-key/tinymce/8/tinymce.min.js"
-    referrerpolicy="origin">
+    referrerpolicy="origin"
+    crossorigin="anonymous">
   </script>
   <script>
     tinymce.init({

modules/ROOT/pages/migration-from-froala.adoc

@@ -38,7 +38,7 @@ To migrate from a basic Froala 3 configuration to a basic {productname} {product
 +
 [source,html,subs="attributes+"]
 ----
-<script src='https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}/tinymce.min.js' referrerpolicy='origin'></script>
+<script src='https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}/tinymce.min.js' referrerpolicy='origin' crossorigin='anonymous'></script>
 ----
 +
 Replace `+no-api-key+` with your link:{accountpageurl}/[{cloudname} API key].
@@ -119,7 +119,7 @@ The following examples show an initial Froala configuration and the migrated {pr
 <html>
   <head>
     <meta charset='utf-8'>
-    <script src='https://cdn.tiny.cloud/1/my-api-key/tinymce/5/tinymce.min.js' referrerpolicy='origin'></script>
+    <script src='https://cdn.tiny.cloud/1/my-api-key/tinymce/5/tinymce.min.js' referrerpolicy='origin' crossorigin='anonymous'></script>
   </head>
   <body>
     <form method='post'>

modules/ROOT/pages/multiple-editors.adoc

@@ -14,7 +14,7 @@ The following example breaks the page into two separate editable areas. Each are
 <html>
 <head>
   <meta name="viewport" content="width=device-width, initial-scale=1">
-  <script src="{cdnurl}" referrerpolicy="origin"></script>
+  <script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
   <script type="text/javascript">
   tinymce.init({
     selector: '.myeditablediv',
@@ -48,7 +48,7 @@ The following example loads each editable area with a unique configuration of {p
 <html>
 <head>
   <meta name="viewport" content="width=device-width, initial-scale=1">
-  <script src="{cdnurl}" referrerpolicy="origin"></script>
+  <script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
   <script type="text/javascript">
   tinymce.init({
     selector: '#myeditable-h1',

modules/ROOT/pages/plugin-editor-version-compatibility.adoc

@@ -23,7 +23,7 @@ to:
 ----
 <script
  src='https://cdn.tiny.cloud/1/no-api-key/tinymce/{productmajorversion}/tinymce.min.js'
- referrerpolicy='origin'
+ referrerpolicy='origin' crossorigin='anonymous'
 ></script>
 ----
 

modules/ROOT/pages/tinymce-and-cors.adoc

@@ -5,6 +5,8 @@
 
 == Cross-Origin Resource Sharing related options
 
+include::partial$configuration/crossorigin.adoc[leveloffset=+1]
+
 include::partial$configuration/referrer_policy.adoc[leveloffset=+1]
 
 include::partial$configuration/content_css_cors.adoc[leveloffset=+1]

modules/ROOT/pages/use-tinymce-inline.adoc

@@ -26,7 +26,7 @@ Inline mode only works on content within a block element (such as: `+div+` or `+
 <html>
 <head>
   <meta name="viewport" content="width=device-width, initial-scale=1">
-  <script src="{cdnurl}" referrerpolicy="origin"></script>
+  <script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
   <script type="text/javascript">
   tinymce.init({
     selector: '#myeditablediv',

modules/ROOT/pages/work-with-plugins.adoc

@@ -19,7 +19,7 @@ Let's start with a simple code snippet you can paste into an empty `+html+` file
 <!DOCTYPE html>
 <html>
 <head>
-  <script src="{cdnurl}" referrerpolicy="origin"></script>
+  <script src="{cdnurl}" referrerpolicy="origin" crossorigin="anonymous"></script>
   <script type="text/javascript">
   tinymce.init({
     selector: 'textarea'