Why does Chrome tell me that the CSP 'require-sri-for' directive is implemented behind a flag which is currently disabled?

Chrome tells you it knows the directive but the browser is currently configured to ignore it, no matter if it would be applied or not.

SRI (Subresource Integrity), as a W3C Recommendation, is from June 2016 but require-sri-for, the Content Security Policy directive, was introduced later in Editor's Draft in August 2016. Drafts are provided for discussion only and may change at any moment. And such experimental features are usually not enabled by default to make room for changes in the implementation, specification, or both.

Whenever Chrome spots the directive in a policy, it will first check whether experimental features are enabled, and will parse the directive and it's value if yes. If experimental features are not enabled it will log the message you're seeing:

The Content-Security-Policy directive 'require-sri-for' is implemented behind a flag which is currently disabled.

It will report the message even if scripts would be later disabled with script-src 'none', the message is logged into the console early when parsing the directive. You can see it in the source code in the CSPDirectiveList::AddDirective method.

To make the message go away you have two options:

  1. Enable #enable-experimental-web-platform-features in chrome://flags/ (copy this chrome://flags/#enable-experimental-web-platform-features and paste it to your Chrome, restart the browser), and test your policy so that you're ready when require-sri-for gets shipped, however this will make the message go away just for and a very small percentage of users who enabled experimental features in their browsers

  2. Remove require-sri-for from your policy, for example if you don't need it because you're using script-src 'none', and add it back later once you'd like to verify scripts

  3. Wait until Chrome enables the feature for everybody, until then users will see the message in the console even if you're not verifying integrity of loaded scripts

I personally go with option 3, but I've temporarily enabled the flag to see whether the site would work once require-sri-for would ship.


This means that the require-sri-for feature is disabled in chrome://flags. However, I have been unable to find a relevant flag that enables this.

The Mozilla documentation states that require-sri-for has been supported in Chrome since v54, however I have tested both the latest versions of Chrome and Chromium, and this doesn't seem to be the case.

This seems to be a known bug in Chrome that currently has no fix.

Edit 2018-03-29: I have changed the accepted answer to Michal Špaček's - the mystery flag is #enable-experimental-web-platform-features.