Uso la siguiente regla de CSP:
Content-Security-Policy: require-sri-for script style
Sé que si carga estilo y script desde un CDN, se bloqueará si no incluyo su hash.
Pero si sirvo mi script y mi estilo desde mi propio dominio, ¿seguirá siendo accesible? (CORS está deshabilitado)
Pido esto porque un visitante del sitio me lo envía:
2017-02-18 21:52:14.622 example.com/:1 Refused to load the stylesheet 'https://example.com/assets/css/main.css' because 'require-sri-for' directive requires integrity attribute be present for all stylesheets.
2017-02-18 21:52:14.632 example.com/:1 Refused to load the script 'https://example.com/assets/js/main.min.js' because 'require-sri-for' directive requires integrity attribute be present for all scripts.
2017-02-18 21:52:14.633 example.com/:1 Refused to load the script 'https://example.com/assets/js/katex.min.js' because 'require-sri-for' directive requires integrity attribute be present for all scripts.
2017-02-18 21:52:14.633 example.com/:1 Refused to load the script 'https://example.com/assets/js/section.min.js' because 'require-sri-for' directive requires integrity attribute be present for all scripts.
2017-02-18 21:52:14.633 example.com/:1 Refused to load the script 'https://example.com/assets/js/canvas.js' because 'require-sri-for' directive requires integrity attribute be present for all scripts.
2017-02-18 22:01:13.667 example.com/:1 Refused to load the stylesheet 'https://example.com/assets/css/main.css' because 'require-sri-for' directive requires integrity attribute be present for all stylesheets.
Esto no suena normal y no pude reproducirlo en ningún dispositivo.
Editar
Descubrí que es posible agregar un hash SRI al estilo y al script, pero la pregunta sigue siendo, ¿es necesario hacerlo?