{{HTTPSidebar}}
The HTTP {{HTTPHeader("Content-Security-Policy")}} require-sri-for
directive instructis the client to require the use of Subresource Integrity for scripts or styles on the page.
Syntax
Content-Security-Policy: require-sri-for script; Content-Security-Policy: require-sri-for style; Content-Security-Policy: require-sri-for script style;
- script
- Requires {{Glossary("SRI")}} for scripts.
- style
- Requires {{Glossary("SRI")}} for style sheets.
- script style
- Requires {{Glossary("SRI")}} for both, scripts and style sheets.
Examples
If you set your site to require SRI for script and styles using this directive:
Content-Security-Policy: require-sri-for script style
{{HTMLElement("script")}} elements like the following will be loaded as they use a valid integrity attribute.
<script src="https://code.jquery.com/jquery-3.1.1.slim.js" integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA=" crossorigin="anonymous"></script>
However, scripts without integrity won't load anymore:
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>
Specifications
Specification | Status | Comment |
---|---|---|
{{specName("Subresource Integrity", "#opt-in-require-sri-for", "upgrade-insecure-requests")}} | {{Spec2('Subresource Integrity')}} | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
{{Compat("http/headers/content-security-policy", "require-sri-for")}}
See also
- {{HTTPHeader("Content-Security-Policy")}}
- Subresource Integrity