``` <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'"> </head> <body> <h3 id="log"></h3> <script> var attr = document.createAttribute("onclick"); attr.value = "1+1;"; var gotCreateScript = false; trustedTypes.createPolicy("default", { createScript: function(val) { if (gotCreateScript) { // We move the Attr node only the first time this is called. return val; } gotCreateScript = true; document.documentElement.setAttributeNode(attr); return val; }, }); document.body.setAttributeNode(attr); document.getElementById("log").textContent = "Does html and body element have the same Attr node in their attributes list: " + (document.documentElement.attributes[0] === document.body.attributes[0]); </script> </body> </html> ``` By using trusted types callbacks it is possible to move Attr node to another element while it is still being set on the original element. Some discussion also in https://github.com/whatwg/dom/pull/1268