是否应该始终使用子资源完整性和交叉引用？

Question

I currently have a bout 3 lots of Jquery being used from various CDN's, should I use sub resource integrity on all scripts? Should I also be using it on locally hosted Javascript files? Here's my code:

<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
<script>window.jQuery || document.write('<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js"><\/script>')</script>
<script src="https://getbootstrap.com/docs/4.0/assets/js/vendor/popper.min.js"></script>
<script src="https://getbootstrap.com/docs/4.0/dist/js/bootstrap.min.js"></script>
<script src="https://code.jquery.com/jquery-3.4.1.js"></script>

<script src="https://cdn.datatables.net/1.10.20/js/jquery.dataTables.min.js"></script>
<script src="https://cdn.datatables.net/1.10.20/js/dataTables.bootstrap4.min.js"></script>

It appears only one uses it, the others don't, would it be advisable to do it for all? I'm also planning on using just 3.4.1 slim.min instead of 3.2.1 and 3.4.1 separately. Thanks.

Answer 1

For locally hosted js, it would not be suggested to use the subresource integrity if still wanted to use you can use but you need to make u generate hash every time the file changes and update the hash value to the src tag.

For the remaining, you can add but as they are the third party js and we don't know when they would be updated, if we get release notes for them we implement the SRI for those also.

Please check the below which Help having a failover mechanism if the file updates and the hash fails https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/