I am exploring ways in which I could/should use CSP and SRI for my website.
For my site I’m looking to use a CSP, something like this.
Content-Security-Policy: block-all-mixed-content; base-uri https://vasports.com.au; default-src 'self'; object-src 'none'; script-src 'strict-dynamic' 'nonce-RandomValue' 'unsafe-inline' https:; report-uri https://www.example.com/report;
NOTE: I used recommendations as per https://www.websec.be/blog/cspstrictdynamic/ so dont give me a hard time about the ‘unsafe-inline’ directive or not using whitelisted uri’s.
My site also uses Sub Resource Integrity checks for all externally sourced scripts, so I am thinking that I probably should also include the CSP directive.
Content-Security-Policy: require-sri-for script
My site also contains some inline scripts (which is why I want to use the CSP ranndom nonce but means I have to use it for all )
Does it make sense to use SRI as well as implementing CSP random nonce?
And if not then what is a good practice?