CSP: require-sri-for - HTTP 编辑

Obsolete

This feature is obsolete. Although it may still work in some browsers, its use is discouraged since it could be removed at any time. Try to avoid using it.

The HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page.

Syntax

Content-Security-Policy: require-sri-for script;
Content-Security-Policy: require-sri-for style;
Content-Security-Policy: require-sri-for script style;

script

Requires SRI for scripts.

style

Requires SRI for style sheets.

script style

Requires SRI for both, scripts and style sheets.

Examples

If you set your site to require SRI for script and styles using this directive:

Content-Security-Policy: require-sri-for script style

<script> elements like the following will be loaded as they use a valid integrity attribute.

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
        integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
        crossorigin="anonymous"></script>

However, scripts without integrity won't load anymore:

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>

Browser compatibility

BCD tables only load in the browser

See also

• Content-Security-Policy
• Subresource Integrity