The HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page.
Syntax
Content-Security-Policy: require-sri-for script; Content-Security-Policy: require-sri-for style; Content-Security-Policy: require-sri-for script style;
- script
- Requires SRI for scripts.
- style
- Requires SRI for style sheets.
- script style
- Requires SRI for both, scripts and style sheets.
Examples
If you set your site to require SRI for script and styles using this directive:
Content-Security-Policy: require-sri-for script style
<script> elements like the following will be loaded as they use a valid integrity attribute.
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
crossorigin="anonymous"></script>
However, scripts without integrity won't load anymore:
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>
Specifications
| Specification | Status | Comment |
|---|---|---|
| Subresource Integrity The definition of 'require-sri-for' in that specification. |
Recommendation | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
| Feature | Chrome | Firefox | Edge | Internet Explorer | Opera | Safari |
|---|---|---|---|---|---|---|
| Basic Support | (No) | 49.0 | (No) | (No) | (No) | (No) |
| Feature | Android | Chrome for Android | Edge mobile | Firefox for Android | IE mobile | Opera Android | iOS Safari |
|---|---|---|---|---|---|---|---|
| Basic Support | (No) | (No) | (No) | 49.0 | (No) | (No) | (No) |