Content-Security-Policy with NONCE and Sub Resource Integrity

I am exploring ways in which I could/should use CSP and SRI for my website.

For my site I’m looking to use a CSP, something like this.

Content-Security-Policy:
block-all-mixed-content;
base-uri https://vasports.com.au;
default-src 'self';
object-src 'none';
script-src 'strict-dynamic' 'nonce-RandomValue' 'unsafe-inline' https:;
report-uri https://www.example.com/report;

NOTE: I used recommendations as per https://www.websec.be/blog/cspstrictdynamic/ so dont give me a hard time about the ‘unsafe-inline’ directive or not using whitelisted uri’s.

My site also uses Sub Resource Integrity checks for all externally sourced scripts, so I am thinking that I probably should also include the CSP directive.

Content-Security-Policy: require-sri-for script

My site also contains some inline scripts (which is why I want to use the CSP ranndom nonce but means I have to use it for all )

Does it make sense to use SRI as well as implementing CSP random nonce?
And if not then what is a good practice?


Source: stackoverflow-javascript