HTTP协议 Content-Security-Policy
头部的require-sri-for指令指示客户端在页面上对脚本或样式使用子资源完整性策略。
Syntax
Content-Security-Policy: require-sri-for script; Content-Security-Policy: require-sri-for style; Content-Security-Policy: require-sri-for script style;
Examples
如果你通过如下指令将站点设置为要求脚本和资源满足SRI策略:
Content-Security-Policy: require-sri-for script style
<script>
元素会被加载,因为它们拥有有效的完整性属性。
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"
integrity="sha256-5i/mQ300M779N2OVDrl16lbohwXNUdzL/R2aVUXyXWA="
crossorigin="anonymous"></script>
但是,没有完整性属性的脚本将不会再加载:
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>
Specifications
Specification | Status | Comment |
---|---|---|
Subresource Integrity require-sri-for |
Recommendation | Initial definition. |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
No compatibility data found. Please contribute data for "http.headers.csp.require-sri-for" (depth: 1) to the MDN compatibility data repository.