Revision 1142605 of CSP: require-sri-for

Revision slug: Web/HTTP/Headers/Content-Security-Policy/require-sri-for
Revision title: Content-Security-Policy: require-sri-for
Revision id: 1142605
Created: Nov 14, 2016, 12:47:24 PM
Creator: fscholz
Is current revision? No
Comment

Tags:

Revision Content

The HTTP {{HTTPHeader("Content-Security-Policy")}} require-sri-for directive instructis the client to require the use of Subresource Integrity for scripts or styles on the page.

Syntax

Content-Security-Policy: require-sri-for script;
Content-Security-Policy: require-sri-for style;
Content-Security-Policy: require-sri-for script style;

script: Requires {{Glossary("SRI")}} for scripts.
style: Requires {{Glossary("SRI")}} for style sheets.
script style: Requires {{Glossary("SRI")}} for both, scripts and style sheets.

Examples

If you set your site to require SRI for script and styles using this directive:

Content-Security-Policy: require-sri-for script style

{{HTMLElement("script")}} elements like the following will be loaded as they use a valid integrity attribute.

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
        integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
        crossorigin="anonymous"></script>

However, scripts without integrity won't load anymore:

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>

Specifications

Specification	Status	Comment
{{specName("Subresource Integrity", "#opt-in-require-sri-for", "upgrade-insecure-requests")}}	{{Spec2('Subresource Integrity')}}	Initial definition.

Browser compatibility

Revision Source

<div>{{HTTPSidebar}}</div>

<p>The HTTP {{HTTPHeader("Content-Security-Policy")}} <code><strong>require-sri-for</strong></code> directive instructis the client to require the use of <a href="/en-US/docs/Web/Security/Subresource_Integrity">Subresource Integrity</a> for scripts or styles on the page.</p>

<h2 id="Syntax">Syntax</h2>

<pre class="syntaxbox">
Content-Security-Policy: require-sri-for script;
Content-Security-Policy: require-sri-for style;
Content-Security-Policy: require-sri-for script style;
</pre>

<dl>
 <dt>script</dt>
 <dd>Requires {{Glossary("SRI")}} for scripts.</dd>
 <dt>style</dt>
 <dd>Requires {{Glossary("SRI")}} for style sheets.</dd>
 <dt>script style</dt>
 <dd>Requires {{Glossary("SRI")}} for both, scripts and style sheets.</dd>
</dl>

<h2 id="Examples">Examples</h2>

<p>If you set your site to require SRI for script and styles using this directive:</p>

<pre>
Content-Security-Policy: require-sri-for script style</pre>

<p>{{HTMLElement("script")}} elements like the following will be loaded as they use a valid integrity attribute.</p>

<pre class="brush: html; example-good">
&lt;script src="https://code.jquery.com/jquery-3.1.1.slim.js"
        integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
        crossorigin="anonymous"&gt;&lt;/script&gt;</pre>

<p>However, scripts without integrity won't load anymore:</p>

<pre class="brush: html; example-bad">
&lt;script src="https://code.jquery.com/jquery-3.1.1.slim.js"&gt;&lt;/script&gt;</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
   <th scope="col">Comment</th>
  </tr>
  <tr>
   <td>{{specName("Subresource Integrity", "#opt-in-require-sri-for", "upgrade-insecure-requests")}}</td>
   <td>{{Spec2('Subresource Integrity')}}</td>
   <td>Initial definition.</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{HTTPHeader("Content-Security-Policy")}}</li>
 <li><a href="/en-US/docs/Web/Security/Subresource_Integrity">Subresource Integrity</a></li>
</ul>

Revert to this revision