7

In my Content Security Policy I have included require-sri-for script. However, in the Chrome console I get a notice (not an error, just info):

The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently disabled.

As far as I can interpret this, it's telling me that I am trying to require SRI for something that is disabled anyway. For example if I have: script-src 'none' then there would be no point in having require-sri-for script, as all script is disallowed anyway.

However, the notice still shows when I have script-src 'self'.

What is the proper meaning of this notice and what do I need to do to fix it?

jamieweb
  • 425
  • 1
  • 3
  • 10
  • *"is implemented behind a flag which is currently disabled"* - this means that the browser has by default no idea what `require-sri-for` means and that you explicitly have to enable it to use it, i.e. in `chrome:://flags`. But are you sure that you are really using Chrome? According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-sri-for the feature should be available since Chrome 54 but is still experimental (and disabled by default) in Firefox currently. – Steffen Ullrich Feb 24 '18 at 17:37
  • Ohh, that makes sense! I was thinking that it meant a CSP directive or value by the term "flag", not a Chrome flag! As you say, the MDN article says that it is supported since Chrome 54, but I am getting the same warning in both the latest versions of Chrome and Chromium. – jamieweb Feb 24 '18 at 17:51
  • @SteffenUllrich I think chrome still requires a flag, because the [feature](https://www.chromestatus.com/feature/5635811978510336) still links to a bug that's still open (and updated in the last week). – phyrfox Feb 24 '18 at 17:53

3 Answers3

10

Chrome tells you it knows the directive but the browser is currently configured to ignore it, no matter if it would be applied or not.

SRI (Subresource Integrity), as a W3C Recommendation, is from June 2016 but require-sri-for, the Content Security Policy directive, was introduced later in Editor's Draft in August 2016. Drafts are provided for discussion only and may change at any moment. And such experimental features are usually not enabled by default to make room for changes in the implementation, specification, or both.

Whenever Chrome spots the directive in a policy, it will first check whether experimental features are enabled, and will parse the directive and it's value if yes. If experimental features are not enabled it will log the message you're seeing:

The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently disabled.

It will report the message even if scripts would be later disabled with script-src 'none', the message is logged into the console early when parsing the directive. You can see it in the source code in the CSPDirectiveList::AddDirective method.

To make the message go away you have two options:

  1. Enable #enable-experimental-web-platform-features in chrome://flags/ (copy this chrome://flags/#enable-experimental-web-platform-features and paste it to your Chrome, restart the browser), and test your policy so that you're ready when require-sri-for gets shipped, however this will make the message go away just for and a very small percentage of users who enabled experimental features in their browsers

  2. Remove require-sri-for from your policy, for example if you don't need it because you're using script-src 'none', and add it back later once you'd like to verify scripts

  3. Wait until Chrome enables the feature for everybody, until then users will see the message in the console even if you're not verifying integrity of loaded scripts

I personally go with option 3, but I've temporarily enabled the flag to see whether the site would work once require-sri-for would ship.

Michal Špaček
  • 116
  • 2
  • 1
    `#enable-experimental-web-platform-features` - That seems to be the mystery flag that I couldn't find! Thanks – jamieweb Mar 29 '18 at 17:37
4

This means that the require-sri-for feature is disabled in chrome://flags. However, I have been unable to find a relevant flag that enables this.

The Mozilla documentation states that require-sri-for has been supported in Chrome since v54, however I have tested both the latest versions of Chrome and Chromium, and this doesn't seem to be the case.

This seems to be a known bug in Chrome that currently has no fix.

Edit 2018-03-29: I have changed the accepted answer to Michal Špaček's - the mystery flag is #enable-experimental-web-platform-features.

jamieweb
  • 425
  • 1
  • 3
  • 10
1

When browser vendors rolls out new features, they often first hide them behind a flag. Users have to explicitly opt in to the feature to use it. This gives the vendors a small population of users to "experiment" on. In Chrome, you find the flags on the chrome://flags page.

So the message you get is telling you that this feature isn't active in Chrome unless you activate it. Taking a look at the Mozilla page for this directive, it should be on without a flag from Chrome 54 and up. Firefox still require a flag though, and IE/Edge doesn't implement it at all.

In other words, the require-sri-for CSP directive offers protection for some of your users, but not all. However, as you yourself point out, if you have script-src 'none' there is no point in requiring SRI for scripts that are forbidden anyway.

Anders
  • 64,406
  • 24
  • 178
  • 215
  • 1
    Thanks for your answer. It didn't click that it meant a Chrome flag since as the documentation says, it is supported in Chrome since v54. However, I have tested this in both the latest versions of Chrome and Chromium, and the warning still shows and I am unable to local a flag in `chrome://flags` that enables support for `require-sri-for`. Looking around online it seems that it's a known bug and that it's not possible to enable it, and there doesn't seem to be any progress for the time being. Any idea why the docs say that it is supported since Chrome 54? – jamieweb Feb 27 '18 at 17:55