require-sri-for in Content-Security-Policy

explaination

This demo page is to help you understand require-sri-for in Content-Security-Policy.

You can put this in HTTP response header when providing HTML file. Or, equivalently, you can use this feature by adding the following line in your HTML file:

<meta http-equiv="Content-Security-Policy" content="require-sri-for script style">

Current page uses meta tag to add Content-Security-Policy support. It uses require-sri-for script, style, which enables validation check for both stylesheets and scripts. Besides this, following are all available options for require-sri-for:

• require-sri-for script, style to enable validation for all stylesheets and scripts on page
• require-sri-for script to enable only validation for scripts on page
• require-sri-for style to enable only validation for stylesheets on page

You should be able to use querystring to control whether SRI is provided in resources.

• integrity=all to set integrity for both script and stylesheet
• integrity=script to set integrity for only script
• intergity=style to set integrity for only stylesheet

Most of the browsers doesn't support this feature at the moment, including Chrome, Firefox and Safari. For Chrome, you should be able to enable this experimental feature by visiting chrome://flags/#enable-experimental-web-platform-features.

When supported, Content-Security-Policy with require-sri-for set should force the browser to refuse loading any resources without SRI. This should help enhance the security by forcing all static and dynamic imported resources to use SRI on website. Also, it's a good way to test locally and check if there is any missing SRI.

Status of resources loading

• Style failed to load
• Style loaded successfully
• Script failed to load