The HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page.
Content-Security-Policy: require-sri-for script; Content-Security-Policy: require-sri-for style; Content-Security-Policy: require-sri-for script style;
scriptstylescript styleIf you set your site to require SRI for script and styles using this directive:
Content-Security-Policy: require-sri-for script style
<script> elements like the following will be loaded as they use a valid integrity attribute.
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
crossorigin="anonymous"></script> However, scripts without integrity won't load anymore:
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>
| Specification | Status | Comment |
|---|---|---|
| Subresource Integrity The definition of 'require-sri-for' in that specification. | Recommendation | Initial definition. |
| Feature | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari |
|---|---|---|---|---|---|---|
| Basic support | 54 | No | 491 | No | 41 | No |
| Feature | Android webview | Chrome for Android | Edge mobile | Firefox for Android | IE mobile | Opera Android | iOS Safari |
|---|---|---|---|---|---|---|---|
| Basic support | 54 | 54 | No | 491 | No | 41 | No |
1. From version 49: this feature is behind the security.csp.experimentalEnabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for