We're looking for a user researcher to understand the needs of developers and designers. Is this you or someone you know? Check out the post: https://mzl.la/2IGzdXS

CSP: require-sri-for

这篇翻译不完整。请帮忙从英语翻译这篇文章

HTTP协议 Content-Security-Policy头部的require-sri-for指令指示客户端在页面上对脚本或样式使用子资源完整性策略。

Syntax

Content-Security-Policy: require-sri-for script;
Content-Security-Policy: require-sri-for style;
Content-Security-Policy: require-sri-for script style;
script
要求脚本符合SRI
style
要求样式资源满足 SRI
script style
要求脚本和样式资源都满足SRI

Examples

如果你通过如下指令将站点设置为要求脚本和资源满足SRI策略: 

Content-Security-Policy: require-sri-for script style

<script> 元素会被加载,因为它们拥有有效的完整性属性。

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
        integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
        crossorigin="anonymous"></script>

但是,没有完整性属性的脚本将不会再加载:

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>

Specifications

Specification Status Comment
Subresource Integrity
require-sri-for
Recommendation Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support54 No491 No41 No
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support5454 No49141 No6.0

1. From version 49: this feature is behind the security.csp.experimentalEnabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.

See also

文档标签和贡献者

此页面的贡献者: shevacjs
最后编辑者: shevacjs,