⚠️ No Integrity-Policy — scripts load without SRI enforcement
← All demos · Integrity Policy

Integrity Policy

See how Integrity-Policy blocks scripts loaded without Subresource Integrity and reports the violation to Report URI — enforcing SRI across your entire page.

🔴 Unprotected ⚪ Protected
No Integrity-Policy — scripts load without SRI and no report is sent

Script loading without SRI

This page loads a script from evil-cyber-hacker.com without a SRI integrity attribute — no enforcement, no reporting

⚠️ No SRI enforcement. The script loads freely with no cryptographic verification. Without Integrity-Policy there is nothing to flag that this script is missing an integrity attribute, and no report is sent to Report URI.
Third-party script status

https://evil-cyber-hacker.com/demo/library.js

Waiting for script…
The SRI enforcement gap

SRI integrity attributes are opt-in — you have to remember to add them to every script tag. If a script is added without one, nothing stops it from loading, and there is no signal that the check was skipped. On a large site with many contributors this is easy to miss. Integrity-Policy closes this gap by making SRI mandatory for scripts and reporting any violation.

Example Integrity-Policy report (sent by the browser)
{
  "integrity-violation": {
    "blockedURL": "https://evil-cyber-hacker.com/demo/library.js",
    "destination": "script",
    "documentURL": "https://report-uri-demo.com/integrity-policy/?protected",
    "reportOnly": false
  }
}