require-sri-for in Content-Security-Policy

explaination

This demo page is to help you understand require-sri-for in Content-Security-Policy.

You can put this in HTTP response header when providing HTML file. Or, equivalently, you can use this feature by adding the following line in your HTML file:

<meta http-equiv="Content-Security-Policy" content="require-sri-for script style">

Current page uses meta tag to add Content-Security-Policy support. It uses require-sri-for script, style, which enables validation check for both stylesheets and scripts. Besides this, following are all available options for require-sri-for:

You should be able to use querystring to control whether SRI is provided in resources.

Most of the browsers doesn't support this feature at the moment, including Chrome, Firefox and Safari. For Chrome, you should be able to enable this experimental feature by visiting chrome://flags/#enable-experimental-web-platform-features.

When supported, Content-Security-Policy with require-sri-for set should force the browser to refuse loading any resources without SRI. This should help enhance the security by forcing all static and dynamic imported resources to use SRI on website. Also, it's a good way to test locally and check if there is any missing SRI.

Status of resources loading

Back