I'm reading about Subresource Integrity and understand it's meant for verifying external files. I guess it's no surprise I couldn't find any reference to inline JavaScript from either MDN or W3C.
So, is it safe to say that the SRI-related attributes, integrity and crossorigin, are completely useless for inline JavaScript ?
So, is it safe to say that the SRI-related attributes
integrityandcrossoriginare completely useless for inline JavaScript?
Yes, because those attributes are only useful for a script element that has a src attribute:
https://html.spec.whatwg.org/multipage/scripting.html#attr-script-integrity
The
integrityattribute represents the integrity metadata for requests which this element is responsible for. The value is text. Theintegrityattribute must not be specified when embedding a module script or when thesrcattribute is not specified. [SRI]
Also as noted in the question, that’s also made clear by the description in MDN:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match.