> Sounds like a great argument for keeping js disabled in my browser. Because "httpS://" does nothing whatever to sanitize the js that it delivers. And one perfectly legit site may pull in js from two dozen or more different servers. Zero of which are magically guaranteed to only deliver benevolent code.
See:
https://developer.mozilla.org/en-US/docs/Web/Security/Subres...
Yes, great. When used. And maintained. All the way down the foo.js => bar.js => baz.js => etc.js chain.
Might you know which js blockers support "only with 'integrity='" conditionals?