The HTTP Content-Security-Policy
require-sri-for
directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page.
Syntax
Content-Security-Policy: require-sri-for script; Content-Security-Policy: require-sri-for style; Content-Security-Policy: require-sri-for script style;
script
- Requires SRI for scripts.
style
- Requires SRI for style sheets.
script style
- Requires SRI for both, scripts and style sheets.
Examples
If you set your site to require SRI for script and styles using this directive:
Content-Security-Policy: require-sri-for script style
<script>
elements like the following will be loaded as they use a valid integrity attribute.
<script src="https://code.jquery.com/jquery-3.1.1.slim.js" integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA=" crossorigin="anonymous"></script>
However, scripts without integrity won't load anymore:
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>
Specifications
Specification | Status | Comment |
---|---|---|
Subresource Integrity The definition of 'require-sri-for' in that specification. |
Recommendation | Initial definition. |
Browser compatibility
Update compatibility data on GitHub
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
require-sri-for | Chrome Full support 54 | Edge No support No | Firefox
No support
49 — 68
| IE No support No | Opera Full support 41 | Safari No support No | WebView Android Full support 54 | Chrome Android Full support 54 | Firefox Android
No support
49 — 68
| Opera Android Full support 41 | Safari iOS No support No | Samsung Internet Android Full support 6.0 |
Legend
- Full support
- Full support
- No support
- No support
- Experimental. Expect behavior to change in the future.
- Experimental. Expect behavior to change in the future.
- User must explicitly enable this feature.
- User must explicitly enable this feature.