<script> element can also be used with other languages, such as WebGL’s GLSL shader programming language and JSON.
<script> element either contains scripting statements, or it points to an external script file through the
For classic scripts, if the
async attribute is present, then the classic script will be fetched in parallel to parsing and evaluated as soon as it is available.
For module scripts, if the
async attribute is present then the scripts and all their dependencies will be executed in the defer queue, therefore they will get fetched in parallel to parsing and evaluated as soon as they are available.
defer has a similar effect in this case.
This is a boolean attribute: the presence of a boolean attribute on an element represents the true value, and the absence of the attribute represents the false value.
<script> elements pass minimal information to the
window.onerror for scripts which do not pass the standard CORS checks. Use this attribute to allow error logging for sites which use a separate domain for static media.
This Boolean attribute is set to indicate to a browser that the script is meant to be executed after the document has been parsed, but before firing
Scripts with the
defer attribute will prevent the
DOMContentLoaded event from firing until the script has loaded and finished evaluating.
This attribute must not be used if the
src attribute is absent (i.e. for inline scripts), in this case it would have no effect.
defer attribute has no effect on module scripts — they defer by default.
Scripts with the
defer attribute will execute in the order in which they appear in the document.
async has a similar effect in this case.
This attribute contains inline metadata that a user agent can use to verify that a fetched resource has been delivered free of unexpected manipulation.
A cryptographic nonce (number used once) to allow scripts in a script-src Content-Security-Policy. The server must generate a unique nonce value each time it transmits a policy. It is critical to provide a nonce that cannot be guessed as bypassing a resource’s policy is otherwise trivial.
Indicates which referrer to send when fetching the script, or resources fetched by the script:
Refererheader will not be sent.
Refererheader will not be sent to origins without TLS (HTTPS).
origin: the sent referrer will be limited to the origin of the referring page: its scheme, host and port.
origin-when-cross-origin: the referrer sent to other origins will be limited to the scheme, the host and the port. Navigations on the same origin will still include the path.
same-origin: a referrer will be sent for same origin, but cross-origin requests will contain no referrer information.
strict-origin: only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don’t send it to a less secure destination (HTTPS→HTTP).
strict-origin-when-cross-origin(default): send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).
unsafe-url: the referrer will include the origin and the path (but not the fragment, password or username). This value is unsafe, because it leaks origins and paths from TLS-protected resources to insecure origins.
An empty string value (“”) is both the default value, and a fallback value if
referrerpolicy is not supported. If
referrerpolicy is not explicitly specified on the
<script> element, it will adopt a higher-level referrer policy, i.e. one set on the whole document or domain. If a higher-level policy is not available, the empty string is treated as being equivalent to
This attribute specifies the URI of an external script; this can be used as an alternative to embedding a script directly within a document.
This attribute indicates the type of script represented. The value of this attribute will be in one of the following categories:
deferattributes. Unlike classic scripts, module scripts require the use of the CORS protocol for cross-origin fetching.
srcattribute will be ignored.
type="module" attributes, as well as inline scripts, are fetched and executed immediately, before the browser continues to parse the page.
The script should be served with the
image/*), a video type (
video/*), an audio (
audio/*) type or
text/csv. If the script is blocked, an
error is sent to the element, if not a
load event is sent.
Browsers that support the
module value for the
type attribute ignore any script with a
nomodule attribute. That enables you to use module scripts while also providing nomodule-marked fallback scripts for non-supporting browsers.
You can also use the
<!-- Generated by the server --> <script id="data" type="application/json">"userId":1234,"userName":"John Doe","memberSince":"2000-01-01T00:00:00.000Z"</script> <!-- Static --> <script> const userInfo = JSON.parse(document.getElementById("data").text); console.log("User information: %o", userInfo); </script>
- Type: –
- Self-closing: No
- Semantic value: No