According to Mozilla:
The HTTP Content-Security-Policy
require-sri-fordirective instructs the client to require the use of Subresource Integrity for scripts or styles on the page.
I fail to see the benefit. The SCP is designed to protect me from someone injecting scripts into my page. If an attacker is able to inject a script tag, wouldn't she also be able to inject an appropriate integrity attribute?
What attack is possible without this directive, but fails with it?
The HTTP Content-Security-Policy require-sri-for only aims to protect against developpers who would forget to add the integrity tag.
Frederik Braun, who claims to be the author of subressource integrity wrote on his blog :
GitHub is one of the first big websites using Subresource Integrity and can thus defend against potentially bad Content Delivery Networks (CDNs). The tricky thing with SRI is that you have to include it for every HTML tag that points to a CDN if you want the security benefit. And then, of course, it happend that someone forgot to add this and people were sad.
It protects you against injections in resources you allow. If you were to allow some tracker or library from an external source and they were to be hijacked, the CSP won’t prevent it. SRI will ensure that if a resource were to change, it won’t be loaded. This is why CSP and SRI both exist, they do different things.
