The HTTP Content-Security-Policy require-sri-for directive instructis the client to require the use of Subresource Integrity for scripts or styles on the page.
Content-Security-Policy: require-sri-for script; Content-Security-Policy: require-sri-for style; Content-Security-Policy: require-sri-for script style;
If you set your site to require SRI for script and styles using this directive:
Content-Security-Policy: require-sri-for script style
<script> elements like the following will be loaded as they use a valid integrity attribute.
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
crossorigin="anonymous"></script> However, scripts without integrity won't load anymore:
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>
| Specification | Status | Comment |
|---|---|---|
| Subresource Integrity The definition of 'require-sri-for' in that specification. | Recommendation | Initial definition. |
| Feature | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | Servo |
|---|---|---|---|---|---|---|---|
| Basic Support | No support | No support | 49.0 | No support | No support | No support | ? |
| Feature | Android | Chrome for Android | Edge Mobile | Firefox for Android | IE Mobile | Opera Mobile | Safari Mobile |
|---|---|---|---|---|---|---|---|
| Basic Support | No support | No support | No support | 49.0 | No support | No support | No support |
© 2005–2017 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for