Add HTML5 crossorigin attribute.

[nlewycky]

In suggested code to copy and paste, load spectre.css from CDNs without sending user-credentials.
Verified

[nlewycky]

@lu4p I don't think that's what the page is saying. The page says:

By default (that is, when the attribute is not specified), CORS is not used at all.

The default value of the crossorigin attribute is anonymous, which makes <link crossorigin> equivalent to <link crossorigin="anonymous">. However, that's not the same as leaving out crossorigin entirely which is to not use CORS at all.

The rationale is that crossorigin is new and if it's present at all then your HTML was written in an age after CORS was created. Leaving it out has to have behaviour compatible with a pre-CORS world, so the browser will send along other cookies, etc.

I think I actually checked the HTTP headers in Chrome developer tools before sending out this PR, but I'm not longer sure. I can check again and get back to you on this PR.