Integrity-Policy header - HTTP | MDN

2 min read Original article ↗

Syntax

Integrity-Policy: blocked-destinations=(<destination>),sources=(<source>),endpoints=(<endpoint>)

The header values are defined as structured field dictionaries with the following keys:

blocked-destinations

A list of request destinations that must include valid integrity metadata. Allowed values are:

script

Script resources.

style

Stylesheet resources.

sources Optional

A list of integrity sources that must include integrity metadata. Allowed values are:

inline

The integrity metadata source is inline to the content, such as the integrity attribute. This is the default.

As this is the default and only value, omitting sources is equivalent to specifying sources=(inline).

endpoints Optional

A list of reporting endpoint names that indicate where reports will be sent. The reporting endpoints must be defined in a Reporting-Endpoints header.

Examples

Blocking and reporting when scripts lack integrity metadata

This example shows a document that blocks and reports when any <script> (or HTMLScriptElement) does not specify an integrity attribute, or when a script resource is requested in no-cors mode.

Note that the integrity-endpoint used in Integrity-Policy is defined in the Reporting-Endpoints header.

Reporting-Endpoints: integrity-endpoint="https://example.com/integrity", backup-integrity-endpoint="https://report-provider.example/integrity"
Integrity-Policy: blocked-destinations=(script), endpoints=(integrity-endpoint backup-integrity-endpoint)

The report payload might look like this.

{
  "type": "integrity-violation",
  "url": "https://example.com",
  "body": {
    "documentURL": "https://example.com",
    "blockedURL": "https://example.com/main.js",
    "destination": "script",
    "reportOnly": false
  }
}

Specifications

Specification
Subresource Integrity
# integrity-policy-section

Browser compatibility

See also