require SRI for resources (require-sri)

Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch are delivered without unexpected manipulation.

Commonly needed when using Content Delivery Networks (CDN).

This rules requires the usage of the integrity attribute to provide the cryptographic hash for SRI to function.

Rule details

Examples of incorrect code for this rule:

<script href="//cdn.example.net/jquery.min.js"></script>
error: SRI "integrity" attribute is required on <script> element (require-sri) at inline:1:2:
> 1 | <script href="//cdn.example.net/jquery.min.js"></script>
    |  ^^^^^^


1 error found.

Examples of correct code for this rule:

<script href="//cdn.example.net/jquery.min.js" integrity="sha384-..."></script>

Options

This rule takes an optional object:

{
    "target": "all",
}

target

With target set to crossorigin only requests to other domains need SRI. Note that the logic for determining crossdomain is a bit naïve, resources with a full url (protocol://) or implicit protocol (//) counts as crossorigin even if it technically would point to the same origin.

<!--- local resource -->
<link href="local.css">

<!-- resource loaded over CDN -->
<link href="//cdn.example.net/remote.css">
error: SRI "integrity" attribute is required on <link> element (require-sri) at inline:5:2:
  3 | 
  4 | <!-- resource loaded over CDN -->
> 5 | <link href="//cdn.example.net/remote.css">
    |  ^^^^


1 error found.