The TinyMCE Cross-Origin Resource Sharing guide

referrer_policy

Used for setting the level of referrer information sent when loading plugins and CSS. Referrer policies can be used to:

  • Improve the privacy of end-users.

  • Assist with server-side filtering of cross-origin requests for TinyMCE resources.

Type: String

For a list of valid referrer policies (directives), see: MDN Web Docs - Referrer-Policy.

Example: using referrer_policy

tinymce.init({
  selector: 'textarea',  // change this value according to your HTML
  referrer_policy: 'origin'
});

content_css_cors

When content_css_cors is set to true, the editor will add a crossorigin="anonymous" attribute to the link tags that the StyleSheetLoader uses when loading the content_css. This allows you to host the content_css on a different server than the editor itself.

Type: Boolean

Default value: false

Possible values: true, false

Example: using content_css_cors

// File: http://domain.mine/mysite/index.html

tinymce.init({
  selector: 'textarea',  // change this value according to your HTML
  content_css: 'http://www.somewhere.example/mycontent.css',
  content_css_cors: true
});

editimage_cors_hosts

The Enhanced Image Editing plugin cannot work with images from another domain due to security measures imposed by browsers on so called cross-origin HTTP requests. To overcome these constraints, Cross-Origin Resource Sharing (CORS) must be explicitly enabled on the specified domain(s) (for more information check HTTP access control).

An array of supported domains for the images (with CORS enabled on them) can be supplied to TinyMCE via the editimage_cors_hosts option.

Each string in the array must be in the format of example.com. Do not include protocols (for example, http://, https://) or any trailing slashes in your domains.
editimage_cors_hosts is not required when enabling this plugin via Tiny Cloud.

Type: Array

Default value: []

Example: editimage_cors_hosts

tinymce.init({
  selector: 'textarea',  // change this value according to your HTML
  toolbar: 'editimage',
  plugins: 'image editimage',
  editimage_cors_hosts: [ 'example.com', 'example.net' ]
});

export_cors_hosts

The Export plugin cannot work with images from another domain due to security measures imposed by browsers on so called cross-origin HTTP requests. To overcome these constraints, Cross-Origin Resource Sharing (CORS) must be explicitly enabled on the specified domain(s) (for more information check HTTP access control).

An array of supported domains for the images (with CORS enabled on them) can be supplied to TinyMCE via the export_cors_hosts option.

Each string in the array must be in the format of example.com. Do not include protocols (for example, http://, https://) or any trailing slashes in your domains.
export_cors_hosts is not required when enabling this plugin via Tiny Cloud.

Type: Array

Default value: []

Example: export_cors_hosts

tinymce.init({
  selector: 'textarea',  // change this value according to your HTML
  toolbar: 'export',
  plugins: 'image export',
  export_cors_hosts: [ 'example.com', 'example.net' ]
});