Subresource Integrity security header on Firebase

SRI - Subresource Integrity security feature on Firebase

• I want to implement Subresource Integrity security feature on Firebase.
• My push notifications are OneSignal Website basic setup, served by CDN, but now i'm dealing with CORS issues.
• Tried to white list the oneSignal CDN via Access-Control-Allow-Origin header, but didn't worked.

Any advice on this? Thanks a lot!

index.html

    <!-- OneSignal -->
    <script src="https://cdn.onesignal.com/sdks/OneSignalSDK.js" integrity="sha256-t1LT+Y2Mggg3CziqvOSn//47ekhB3IWvczG5g5pZF5I= sha384-vVrIVOhTb6P+4WMvVY4OhcO9b04Pt1kfcrkiTi3q8b/MG7kRwiNSIuhmKBnlKA3W sha512-zI/26urvS8F5oBQj4MChQbf8jVDP06RucbNYHuTguAxo3h8PXgFlM175kxarwnM9y0wTVjGAXe5JWIHsRMK2kw==" crossorigin="anonymous" async></script>

firebase.json

  "headers": [
    {
      "source": "**",
      "headers": [
        {
          "key": "Access-Control-Allow-Origin",
          "value": "https://cdn.onesignal.com/"
        },
        {
          "key": "Vary",
          "value": "Origin"
        }
      ]
    }
 ]

Note: For subresource-integrity verification of a resource served from an origin other than the document in which it’s embedded, browsers additionally check the resource using Cross-Origin Resource Sharing (CORS), to ensure the origin serving the resource allows it to be shared with the requesting origin. Subresource_Integrity

Have you tried setting your function to public? Don't know if that's actually what you're looking for though. https://cloud.google.com/functions/docs/securing/managing-access-iam#allowing_unauthenticated_function_invocation