Why is CSP require-sri-for marked as obsolete?

Question

The description from Mozilla warns that require-sri-for is obsolete and may be removed at any time.

The feature seems useful, especially for large websites where it's likely that a developer may forget to include an integrity attribute.

Is there a specific reason this has been deprecated? Is there an alternative feature to use instead?

Maybe this answer helps you: https://security.stackexchange.com/a/184103 — devopsfun, Jan 04 '20 at 14:29

score 2 · Accepted Answer · answered Jan 05 '20 at 14:30

Firefox 68 for developers explains:

The Content-Security-Policy directive require-sri-for is no longer supported due to concerns about its standardization status. It was previously available only behind a preference, which was off by default (bug 1386214).

Hopefully it will be back when the directive is standardized.

Why is CSP require-sri-for marked as obsolete?

1 Answers1