Chrome tells you it knows the directive but the browser is currently configured to ignore it, no matter if it would be applied or not.
SRI (Subresource Integrity), as a W3C Recommendation, is from June 2016 but require-sri-for
, the Content Security Policy directive, was introduced later in Editor's Draft in August 2016. Drafts are provided for discussion only and may change at any moment. And such experimental features are usually not enabled by default to make room for changes in the implementation, specification, or both.
Whenever Chrome spots the directive in a policy, it will first check whether experimental features are enabled, and will parse the directive and it's value if yes. If experimental features are not enabled it will log the message you're seeing:
The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently disabled.
It will report the message even if scripts would be later disabled with script-src 'none'
, the message is logged into the console early when parsing the directive. You can see it in the source code in the CSPDirectiveList::AddDirective
method.
To make the message go away you have two options:
Enable #enable-experimental-web-platform-features
in chrome://flags/
(copy this chrome://flags/#enable-experimental-web-platform-features
and paste it to your Chrome, restart the browser), and test your policy so that you're ready when require-sri-for
gets shipped, however this will make the message go away just for and a very small percentage of users who enabled experimental features in their browsers
Remove require-sri-for
from your policy, for example if you don't need it because you're using script-src 'none'
, and add it back later once you'd like to verify scripts
Wait until Chrome enables the feature for everybody, until then users will see the message in the console even if you're not verifying integrity of loaded scripts
I personally go with option 3, but I've temporarily enabled the flag to see whether the site would work once require-sri-for
would ship.