This is useful in cases where the requested resource is not on a server you control, or you just want to handle registering the attribution source on a different server. In this case, you can specify one or more URLs as the value of attributionsrc. When the resource request occurs the Attribution-Reporting-Eligible header will be sent to the URL(s) specified in attributionSrc in addition to the resource origin. These URLs can then respond with a Attribution-Reporting-Register-Source or Attribution-Reporting-Register-Trigger header as appropriate to complete registration.

Note: Specifying multiple URLs means that multiple attribution sources can be registered on the same feature. You might for example have different campaigns that you are trying to measure the success of, which involve generating different reports on different data.

See the Attribution Reporting API for more details.

blocking

This attribute explicitly indicates that certain operations should be blocked on the fetching of the script. The operations that are to be blocked must be a space-separated list of blocking tokens listed below.

  • render: The rendering of content on the screen is blocked.
crossorigin

Normal script elements pass minimal information to the window.onerror for scripts which do not pass the standard CORS checks. To allow error logging for sites which use a separate domain for static media, use this attribute. See CORS settings attributes for a more descriptive explanation of its valid arguments.

defer

This Boolean attribute is set to indicate to a browser that the script is meant to be executed after the document has been parsed, but before firing DOMContentLoaded event.

Scripts with the defer attribute will prevent the DOMContentLoaded event from firing until the script has loaded and finished evaluating.

Warning: This attribute must not be used if the src attribute is absent (i.e., for inline scripts), in this case it would have no effect.

The defer attribute has no effect on module scripts — they defer by default.

Scripts with the defer attribute will execute in the order in which they appear in the document.

This attribute allows the elimination of parser-blocking JavaScript where the browser would have to load and evaluate scripts before continuing to parse. async has a similar effect in this case.

If the attribute is specified with the async attribute, the element will act as if only the async attribute is specified.

fetchpriority

Provides a hint of the relative priority to use when fetching an external script. Allowed values:

high

Fetch the external script at a high priority relative to other external scripts.

low

Fetch the external script at a low priority relative to other external scripts.

auto

Don't set a preference for the fetch priority. This is the default. It is used if no value or an invalid value is set.

See HTMLScriptElement.fetchPriority for more information.

integrity

This attribute contains inline metadata that a user agent can use to verify that a fetched resource has been delivered without unexpected manipulation. The attribute must not be specified when the src attribute is absent. See Subresource Integrity.

nomodule

This Boolean attribute is set to indicate that the script should not be executed in browsers that support ES modules — in effect, this can be used to serve fallback scripts to older browsers that do not support modular JavaScript code.

nonce

A cryptographic nonce (number used once) to allow scripts in a script-src Content-Security-Policy. The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource's policy is otherwise trivial.

referrerpolicy

Indicates which referrer to send when fetching the script, or resources fetched by the script:

  • no-referrer: The Referer header will not be sent.
  • no-referrer-when-downgrade: The Referer header will not be sent to origins without TLS (HTTPS).
  • origin: The sent referrer will be limited to the origin of the referring page: its scheme, host, and port.
  • origin-when-cross-origin: The referrer sent to other origins will be limited to the scheme, the host, and the port. Navigations on the same origin will still include the path.
  • same-origin: A referrer will be sent for same origin, but cross-origin requests will contain no referrer information.
  • strict-origin: Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
  • strict-origin-when-cross-origin (default): Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).
  • unsafe-url: The referrer will include the origin and the path (but not the fragment, password, or username). This value is unsafe, because it leaks origins and paths from TLS-protected resources to insecure origins.

Note: An empty string value ("") is both the default value, and a fallback value if referrerpolicy is not supported. If referrerpolicy is not explicitly specified on the

The following example shows how to put (an inline) script inside the

async and defer

Scripts loaded using the async attribute will download the script without blocking the page while the script is being fetched. However, once the download is complete, the script will execute, which blocks the page from rendering. This means that the rest of the content on the web page is prevented from being processed and displayed to the user until the script finishes executing. You get no guarantee that scripts will run in any specific order. It is best to use async when the scripts in the page run independently from each other and depend on no other script on the page.

Scripts loaded with the defer attribute will load in the order they appear on the page. They won't run until the page content has all loaded, which is useful if your scripts depend on the DOM being in place (e.g., they modify one or more elements on the page).

Here is a visual representation of the different script loading methods and what that means for your page:

How the three script loading method work: default has parsing blocked while JavaScript is fetched and executed. With async, the parsing pauses for execution only. With defer, parsing isn't paused, but execution on happens after everything is else is parsed.

This image is from the HTML spec, copied and cropped to a reduced version, under CC BY 4.0 license terms.

For example, if you have the following script elements:

html

You can't rely on the order the scripts will load in. jquery.js may load before or after script2.js and script3.js and if this is the case, any functions in those scripts depending on jquery will produce an error because jquery will not be defined at the time the script runs.

async should be used when you have a bunch of background scripts to load in, and you just want to get them in place as soon as possible. For example, maybe you have some game data files to load, which will be needed when the game actually begins, but for now you just want to get on with showing the game intro, titles, and lobby, without them being blocked by script loading.

Scripts loaded using the defer attribute (see below) will run in the order they appear in the page and execute them as soon as the script and content are downloaded:

html

In the second example, we can be sure that jquery.js will load before script2.js and script3.js and that script2.js will load before script3.js. They won't run until the page content has all loaded, which is useful if your scripts depend on the DOM being in place (e.g., they modify one or more elements on the page).

To summarize:

  • async and defer both instruct the browser to download the script(s) in a separate thread, while the rest of the page (the DOM, etc.) is downloading, so the page loading is not blocked during the fetch process.
  • scripts with an async attribute will execute as soon as the download is complete. This blocks the page and does not guarantee any specific execution order.
  • scripts with a defer attribute will load in the order they are in and will only execute once everything has finished loading.
  • If your scripts should be run immediately and they don't have any dependencies, then use async.
  • If your scripts need to wait for parsing and depend on other scripts and/or the DOM being in place, load them using defer and put their corresponding

Importing modules with importmap

When importing modules in scripts, if you don't use the type=importmap feature, then each module must be imported using a module specifier that is either an absolute or relative URL. In the example below, the first module specifier is an absolute URL, while the second ("./shapes/square.js") resolves relative to the base URL of the document.

js
import { name as circleName } from "https://example.com/shapes/circle.js";
import { name as squareName, draw } from "./shapes/square.js";

An import map allows you to provide a mapping that, if matched, can replace the text in the module specifier. The import map below defines keys circle and square that can be used as aliases for the module specifiers shown above.

html

This allows us to import modules using names in the module specifier (rather than absolute or relative URLs).

js
import { name as circleName } from "circle";
import { name as squareName, draw } from "square";

For more examples of what you can do with import maps, see the Importing modules using import maps section in the JavaScript modules guide.

Embedding data in HTML

You can also use the

Blocking rendering till a script is fetched and executed

You can include render token inside a blocking attribute; the rendering of the page will be blocked till the script is fetched and executed. In the example below, we block rendering on an async script, so that the script doesn't block parsing but is guaranteed to be evaluated before rendering starts.

html

Technical summary

Content categories Metadata content, Flow content, Phrasing content.
Permitted content Dynamic script such as text/javascript.
Tag omission None, both the starting and ending tag are mandatory.
Permitted parents Any element that accepts metadata content, or any element that accepts phrasing content.
Implicit ARIA role No corresponding role
Permitted ARIA roles No role permitted
DOM interface HTMLScriptElement

Specifications

Specification
HTML
# the-script-element

Browser compatibility

See also

\n\n

This is useful in cases where the requested resource is not on a server you control, or you just want to handle registering the attribution source on a different server. In this case, you can specify one or more URLs as the value of attributionsrc. When the resource request occurs the Attribution-Reporting-Eligible header will be sent to the URL(s) specified in attributionSrc in addition to the resource origin. These URLs can then respond with a Attribution-Reporting-Register-Source or Attribution-Reporting-Register-Trigger header as appropriate to complete registration.\n

\n

Note:\nSpecifying multiple URLs means that multiple attribution sources can be registered on the same feature. You might for example have different campaigns that you are trying to measure the success of, which involve generating different reports on different data.\n\n\n\n

See the Attribution Reporting API for more details.\n\n

blocking\n
\n

This attribute explicitly indicates that certain operations should be blocked on the fetching of the script. The operations that are to be blocked must be a space-separated list of blocking tokens listed below.\n