The lib currently uses an approach that injects script hashes as integrity attribute, also for scripts with src attribute.
The problem is that Firefox messes up SRI validation on scripts with src attribute (#5, #47). I conjecture that it's the same with Safari, which supports strict-dynamic since version 15.4, but also doesn't work with this lib.
This doesn't happen with inline scripts. So the idea is to collect and replace all scripts with an src attribute and insert them with a trusted inline proxy loader, so they get transitive trust for strict-dynamic.
References
https://web.dev/measure/ from Google uses a Hash-based Strict CSP by HTTP response header with such a loader approach and it works in Firefox. (it doesn't use https://github.com/google/strict-csp, the site uses some customized script loader and no meta tag)
Motivation
The lib currently uses an approach that injects script hashes as integrity attribute, also for scripts with
srcattribute.The problem is that Firefox messes up SRI validation on scripts with
srcattribute (#5, #47). I conjecture that it's the same with Safari, which supportsstrict-dynamicsince version15.4, but also doesn't work with this lib.This doesn't happen with inline scripts. So the idea is to collect and replace all scripts with an src attribute and insert them with a trusted inline proxy loader, so they get transitive trust for
strict-dynamic.References