我們的志工尚未將本文翻譯為 正體中文 (繁體) 版本。加入我們,幫忙翻譯!
您也可以閱讀本文的 English (US) 版本。

The HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page.

Syntax

Content-Security-Policy: require-sri-for script;
Content-Security-Policy: require-sri-for style;
Content-Security-Policy: require-sri-for script style;
script
Requires SRI for scripts.
style
Requires SRI for style sheets.
script style
Requires SRI for both, scripts and style sheets.

Examples

If you set your site to require SRI for script and styles using this directive:

Content-Security-Policy: require-sri-for script style

<script> elements like the following will be loaded as they use a valid integrity attribute.

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
        integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
        crossorigin="anonymous"></script>

However, scripts without integrity won't load anymore:

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>

Specifications

Specification Status Comment
Subresource Integrity
The definition of 'require-sri-for' in that specification.
Recommendation Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support54 No491 No41 No
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support5454 No49141 No6.0

1. From version 49: this feature is behind the security.csp.experimentalEnabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.

See also

文件標籤與貢獻者

此頁面的貢獻者: Sheppy, fscholz, phillycheeze, freddyb
最近更新: Sheppy,