16May
If a site includes the header ‘HTTP Content-Security-Policy require-sri-for’ then does this include all nested scripts?
If I'm using subresource integrity on a web page and a script that I import then itself imports a further script, will the CSP 'require-sri-for' also include those subsequent, nested, imported scripts?
For example, if a .js file is pulled in by the main web page and it includes reference to a further .js file, the top level file's hash won't change if the URL of the further .js file doesn't change but the code at that URL has. So the top level file will pass its SRI check even though that script is then pulling in an unchecked script.
Or does CSP 'require-sri-for' checking get inherited by the scripts that are then loaded and so own down the import chain (if there is one)?
