mikewest
commented
1 day ago Picking this back up after years, apologies for ignoring the issue in the meantime. I'm going to close this out, though: I think @yoavweiss wants to integrate reporting into require-sri-for, and that seems like a better place to talk about the business case. Here, I think we can focus on the ease of deployment and leave it at that to avoid additional complexity.
Thanks for the feedback!
Adding CSP-Reporting into the example makes the business case better: the owner of the websites will actually receive a signal from the user that something strange is going on on the website.
Possibly adding a workaround (what is integrity fails) in the example script would also help adoption: eg. the technical version of "This video isn't available at this moment' as example. Though, this proposal should give less issues than the current version of SRI :).