W3cubDocs

/HTTP

CSP: require-sri-for

The HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page.

Syntax

Content-Security-Policy: require-sri-for script;
Content-Security-Policy: require-sri-for style;
Content-Security-Policy: require-sri-for script style;
script
Requires SRI for scripts.
style
Requires SRI for style sheets.
script style
Requires SRI for both, scripts and style sheets.

Examples

If you set your site to require SRI for script and styles using this directive:

Content-Security-Policy: require-sri-for script style

<script> elements like the following will be loaded as they use a valid integrity attribute.

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
        integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
        crossorigin="anonymous"></script>

However, scripts without integrity won't load anymore:

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>

Specifications

Specification Status Comment
Subresource Integrity
The definition of 'require-sri-for' in that specification.
Recommendation Initial definition.

Browser compatibility

Feature Chrome Firefox Edge Internet Explorer Opera Safari
Basic Support (No) 49.0 (No) (No) (No) (No)
Feature Android Chrome for Android Edge mobile Firefox for Android IE mobile Opera Android iOS Safari
Basic Support (No) (No) (No) 49.0 (No) (No) (No)

See also

© 2005–2017 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for