Skip to content

FF142 Integrity-Policy can be enforced on stylesheets #40746

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chrisdavidmills merged 4 commits into from
Aug 18, 2025
Merged

FF142 Integrity-Policy can be enforced on stylesheets #40746

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
860e670
FF142 Integrity-Policy can be enforced on scripts
hamishwillee Aug 15, 2025
a79b833
Fix a couple of instances of scripts only to scripts and stylesheets
chrisdavidmills Aug 18, 2025
2a48681
code font
chrisdavidmills Aug 18, 2025
22eaa94
Couple of small fixes
chrisdavidmills Aug 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
FF142 Integrity-Policy can be enforced on scripts
  • Loading branch information
@hamishwillee
hamishwillee committed Aug 17, 2025
commit 860e670f887aa93615e1460c7b1098a23c24a8ac
9 changes: 8 additions & 1 deletion files/en-us/web/http/reference/headers/integrity-policy-report-only/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ sidebar: http

The HTTP **`Integrity-Policy-Report-Only`** response header allows website administrators to report on resources that the user agent loads that would violate [Subresource Integrity](/en-US/docs/Web/Security/Subresource_Integrity) guarantees if the integrity policy was enforced (using the {{HTTPHeader("Integrity-Policy")}} header).

Reports may be generated for requests on specified [request destinations](/en-US/docs/Web/API/Request/destination) that omit integrity metadata, or that are made in [no-cors](/en-US/docs/Web/API/Request/mode#no-cors) mode.
Reports may be generated for requests on specified [request destinations](#blocked-destinations) that omit integrity metadata, or that are made in [no-cors](/en-US/docs/Web/API/Request/mode#no-cors) mode.
Copy link
Collaborator Author

@hamishwillee hamishwillee Aug 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note, the link was good, but it is more useful here to be able to jump down to the field to find out what destinations are blocked. The old link appears there if people want to find out more about destinations.

For reports to be sent to a reporting endpoint, the `Integrity-Policy-Report-Only` header must specify a valid reporting endpoint name that matches an endpoint declared using the {{HTTPHeader("Reporting-Endpoints")}} header.
Reports are generated using the [Reporting API](/en-US/docs/Web/API/Reporting_API), and may also be observed in the page for which the integrity policy is being reported, using a [ReportingObserver](/en-US/docs/Web/API/ReportingObserver).
The format of the report body is given by the {{domxref("IntegrityViolationReportBody")}} dictionary (a JSON-serialized form of this body is sent in POSTs to reporting server endpoints).
Expand Down Expand Up @@ -42,15 +42,22 @@ Integrity-Policy-Report-Only: blocked-destinations=(<destination>),sources=(<sou
The header values are defined as structured field dictionaries with the following keys:

- `blocked-destinations`

- : A list of [request destinations](/en-US/docs/Web/API/Request/destination) that must include valid integrity metadata.
Allowed values are:

- `script`
- : Script resources.
- `style`
- : Stylesheet resources.

- `sources` {{optional_inline}}

- : A list of integrity sources that must include integrity metadata.
Allowed values are:

- `inline`

- : The integrity metadata source is inline to the content, such as the [integrity attribute](/en-US/docs/Web/API/HTMLScriptElement/integrity).
This is the default.

Expand Down
9 changes: 7 additions & 2 deletions files/en-us/web/http/reference/headers/integrity-policy/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ sidebar: http

The HTTP **`Integrity-Policy`** response header allows website administrators to ensure that all resources the user agent loads (of a certain type) have [Subresource Integrity](/en-US/docs/Web/Security/Subresource_Integrity) guarantees.

When set the user agent will block requests on specified [request destinations](/en-US/docs/Web/API/Request/destination) that omit integrity metadata, and will also block requests in [no-cors](/en-US/docs/Web/API/Request/mode#no-cors) mode from ever being made.
When set the user agent will block requests on specified [request destinations](#blocked-destinations) that omit integrity metadata, and will also block requests in [no-cors](/en-US/docs/Web/API/Request/mode#no-cors) mode from ever being made.

Violation reports may also be sent to if the header includes a reporting endpoint name that matches an endpoint declared using the {{HTTPHeader("Reporting-Endpoints")}} header.
Reports are generated using the [Reporting API](/en-US/docs/Web/API/Reporting_API), and may also be observed in the page for which the integrity policy is being enforced, using a [ReportingObserver](/en-US/docs/Web/API/ReportingObserver).
Expand Down Expand Up @@ -45,13 +45,18 @@ The header values are defined as structured field dictionaries with the followin
- `blocked-destinations`
- : A list of [request destinations](/en-US/docs/Web/API/Request/destination) that must include valid integrity metadata.
Allowed values are:

- `script`
- : Script resources.

- `style`
- : Stylesheet resources.
- `sources` {{optional_inline}}

- : A list of integrity sources that must include integrity metadata.
Allowed values are:

- `inline`

- : The integrity metadata source is inline to the content, such as the [integrity attribute](/en-US/docs/Web/API/HTMLScriptElement/integrity).
This is the default.

Expand Down
2 changes: 1 addition & 1 deletion files/en-us/web/security/subresource_integrity/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ Developers would typically use `Integrity-Policy-Report-Only` as a first deploym
The header values are defined as structured field dictionaries with the following keys:

- `blocked-destinations`
- : Defines a list of [request destinations](/en-US/docs/Web/API/Request/destination) to be blocked. The only allowed value is `script`.
- : Defines a list of [request destinations](/en-US/docs/Web/API/Request/destination) to be blocked. The only allowed values are `script` and `style`.
- `sources` {{optional_inline}}
- : Defines a list of integrity sources. The default and only currently supported value is `inline`. As a result, adding `sources=(inline)` to the header has a similar effect as omitting `sources`.
- `endpoints` {{optional_inline}}
Expand Down