W3cubDocs

/HTTP

CSP: require-sri-for

Obsolete
This feature is obsolete. Although it may still work in some browsers, its use is discouraged since it could be removed at any time. Try to avoid using it.

The HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page.

Syntax

Content-Security-Policy: require-sri-for script;
Content-Security-Policy: require-sri-for style;
Content-Security-Policy: require-sri-for script style;
script
Requires SRI for scripts.
style
Requires SRI for style sheets.
script style
Requires SRI for both, scripts and style sheets.

Examples

If you set your site to require SRI for script and styles using this directive:

Content-Security-Policy: require-sri-for script style

<script> elements like the following will be loaded as they use a valid integrity attribute.

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
        integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
        crossorigin="anonymous"></script>

However, scripts without integrity won't load anymore:

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>

Browser compatibilityUpdate compatibility data on GitHub

Desktop
Chrome Edge Firefox Internet Explorer Opera Safari
require-sri-for 54 79 49 — 68
Disabled
49 — 68
Disabled
Disabled From version 49 until version 68 (exclusive): this feature is behind the security.csp.experimentalEnabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 41 No
Mobile
Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
require-sri-for 54 54 49 — 68
Disabled
49 — 68
Disabled
Disabled From version 49 until version 68 (exclusive): this feature is behind the security.csp.experimentalEnabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
41 No 6.0

See also

© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for