16May
If a site includes the header ‘HTTP Content-Security-Policy require-sri-for’ then does this include all nested scripts?
If I’m using subresource integrity on a web page and a script that I import then itself imports a further script, will the CSP ‘require-sri-for’ also include those subsequent, nested, imported scripts?
For example, if a .js file is pulled…
