For maintainers only:

• This needs to be documented (issue in webpack/webpack.js.org will be filed when merged)
• This needs to be backported to webpack 4 (issue will be created when merged)

Thank you for your pull request! The most important CI builds succeeded, we’ll review the pull request soon.

Interesting thing is that browser skip crossorigin attribute if origin is the same and current code is smaller, so maybe better to keep current implementation =)

Actually regarding to https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-settings-attribute , we can optimize setting crossorigin to

function crossOrigin(crossOriginLoading) {
    if (!crossOriginLoading) return false; // missing value default state

    if (crossOriginLoading === 'use-credentials') return '"use-credentials"'; // Use Credentials state

    return '""' // invalid value default state === Anonymous state
}

original issue #10059 closed .

If it is still a problem for webpack@5 feel free create PR into main.