Import JavaScript
GOV.UK Frontend JavaScript must be run with <script type="module">
.
This protects older browsers, including all versions of Internet Explorer, from running modern JavaScript that it does not support. Read about our browser support for more information.
Before you start
You’ll need to add the following to the top of the <body class="govuk-template__body">
section of your page template if you’re not using our Nunjucks macros.
This snippet adds the .govuk-frontend-supported
class in supported browsers:
<script>document.body.className += ' js-enabled' + ('noModule' in HTMLScriptElement.prototype ? ' govuk-frontend-supported' : '');</script>
You should check if our snippet is blocked by a Content Security Policy.
Next, to import the JavaScript from GOV.UK Frontend, you can either:
- add the JavaScript file to your HTML
- import the JavaScript into your own JavaScript file using a bundler
Add the JavaScript file to your HTML
If you decide to add the JavaScript to your HTML, you can do one of the following:
- set up your routing so requests for the JavaScript file are served from
node_modules/govuk-frontend/dist/govuk/govuk-frontend.min.js
- copy the
node_modules/govuk-frontend/dist/govuk/govuk-frontend.min.js
file into your application
Then import the JavaScript file before the closing </body>
tag of your HTML page or page template, and run the initAll
function to initialise all the components.
<body class="govuk-template__body">
<script>document.body.className += ' js-enabled' + ('noModule' in HTMLScriptElement.prototype ? ' govuk-frontend-supported' : '');</script>
<!-- // ... -->
<script type="module" src="<YOUR-JAVASCRIPTS-FOLDER>/govuk-frontend.min.js"></script>
<script type="module">
import { initAll } from '<YOUR-JAVASCRIPTS-FOLDER>/govuk-frontend.min.js'
initAll()
</script>
</body>
Read about how we log JavaScript errors in the browser console to check GOV.UK Frontend has been set up correctly.
Import JavaScript using a bundler
If you decide to import using a bundler like Rollup or webpack, the bundled JavaScript files must be added using <script type="module">
in your HTML:
<script type="module" src="<YOUR-JAVASCRIPTS-FOLDER>/app-bundle.min.js"></script>
We encourage the use of ECMAScript (ES) modules, but you should check your bundler does not unnecessarily downgrade modern JavaScript for unsupported browsers.
If your service cannot use ES modules, read about alternative module formats below.
Import individual components
If you want to improve how quickly your service’s pages load in browsers, you can import only the JavaScript components you need.
import { SkipLink, Radios } from 'govuk-frontend'
const $skipLink = document.querySelector('[data-module="govuk-skip-link"]')
new SkipLink($skipLink)
When using a component more than once, the same import
can be initialised again:
import { Radios } from 'govuk-frontend'
const $radios = document.querySelectorAll('[data-module="govuk-radios"]')
$radios.forEach(($radio) => {
new Radios($radio)
})
Import and initialise all components using the initAll function
If you need to import all of GOV.UK Frontend’s components, then run the initAll
function to initialise them:
import { initAll } from 'govuk-frontend'
initAll()
Import JavaScript using alternative module formats
Universal Module Definition (UMD)
For projects that cannot import ECMAScript (ES) modules, we also publish pre-built Universal Module Definition (UMD) bundles to support the following formats:
- Asynchronous Module Definition (AMD)
- Browser
window.GOVUKFrontend
global - CommonJS
Bundlers like Browserify can use require()
to import UMD bundles:
const { Accordion } = require('govuk-frontend')
Rails Assets Pipeline or Sprockets can use require
directives to import UMD bundles:
// = require govuk/components/accordion/accordion.bundle.js
const { Accordion } = window.GOVUKFrontend;
Note: Using pre-built bundles instead of ECMAScript (ES) modules will output considerably larger JavaScript files. You can read more about tree shaking on the MDN website.
If our inline JavaScript snippet is blocked by a Content Security Policy
If your site has a Content Security Policy (CSP), the CSP may block the inline JavaScript in the page template. You may see a warning like the following in your browser console:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
To unblock inline JavaScript, do one of the following:
- include a hash (recommended)
- use a nonce
Make sure you understand the security implications of using either option, as wrong implementation could affect your service’s security. If you’re not sure what to do, talk to a security expert.
Use a hash to unblock inline JavaScript
You can unblock inline JavaScript by including the following hash in your CSP:
sha256-GUQ5ad8JK5KmEWmROf3LZd9ge94daqNvd8xy9YS1iDw=
You do not need to make any changes to the HTML.
Learn more about Content Security Policy on the MDN Web Docs website.
Use a nonce
attribute to unblock inline JavaScript
If you’re unable to use the hash in your CSP, you can also use a nonce
on inline JavaScript.
However, you should provide a nonce that hostile actors cannot guess. Otherwise, they could easily find a way around your CSP.
You should use a value which is:
- unique for each HTTP response
- generated using a cryptographically-secure random generator
- at least 32 characters for hex, or 24 characters for base64
Make sure your script tags do not have any untrusted or unescaped variables.
If you’re using the Nunjucks page template, you can add the nonce
attribute by setting the cspNonce
variable.