CSP: require-sri-for

Obsolete
This feature is obsolete. Although it may still work in some browsers, its use is discouraged since it could be removed at any time. Try to avoid using it.

The HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page.

Syntax

Content-Security-Policy: require-sri-for script;
Content-Security-Policy: require-sri-for style;
Content-Security-Policy: require-sri-for script style;
script
Requires SRI for scripts.
style
Requires SRI for style sheets.
script style
Requires SRI for both, scripts and style sheets.

Examples

If you set your site to require SRI for script and styles using this directive:

Content-Security-Policy: require-sri-for script style

<script> elements like the following will be loaded as they use a valid integrity attribute.

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
        integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
        crossorigin="anonymous"></script>

However, scripts without integrity won't load anymore:

<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>

Browser compatibility

DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
require-sri-for
ExperimentalDeprecatedNon-standard
Chrome Full support 54Edge Full support 79Firefox No support 49 — 68
Disabled
No support 49 — 68
Disabled
Disabled From version 49 until version 68 (exclusive): this feature is behind the security.csp.experimentalEnabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 41Safari No support NoWebView Android Full support 54Chrome Android Full support 54Firefox Android No support 49 — 68
Disabled
No support 49 — 68
Disabled
Disabled From version 49 until version 68 (exclusive): this feature is behind the security.csp.experimentalEnabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 41Safari iOS No support NoSamsung Internet Android Full support 6.0

Legend

Full support
Full support
No support
No support
Experimental. Expect behavior to change in the future.
Experimental. Expect behavior to change in the future.
Non-standard. Expect poor cross-browser support.
Non-standard. Expect poor cross-browser support.
Deprecated. Not for use in new websites.
Deprecated. Not for use in new websites.
User must explicitly enable this feature.
User must explicitly enable this feature.

See also