The SRI thing badly needs a solution that dunderhead WP users like myself can implement, and you seem to be the only one trying to address it.
The existence of this plugin is itself a stop-gap measure until WordPress Core implements SRI as part of the framework itself, where it arguably should belong. But WP development rightly moves this sort of enhancement roadmap into plugins (called “feature plugins”), first by indepdenent developers such as myself and then becoming adopted by the WP Core team itself (such as the Lazy Loading Feature Plugin), and then finally code ownership is transferred to the WP Core maintainers.
Exactly how those priorities are set is not something I’m privy to, and it’s certainly possible that the approach I’ve taken in this plugin is suboptimal for some reason that I’m not aware of. However, it works flawlessly for me and every site I’m responsible for. I’ve even given presentations featuring this plugin at Microsoft and other enterprises, and it’s in use by a fair number of teams on both intranets and extranets powered by WordPress.
The other thing I’ll say is that SRI attributes are actually extremely simple and so you don’t really even need a plugin if you’re adding your own scripts. This plugin is intended to plug the holes left by other plugin developers whose code does not take responsibility for the security of their own releases. That’s part of why the only time this plugin does anything at all in the first place is when other plugins use the WP API to add stylesheets or scripts that are not already pre-bundled with said plugin or theme already.
This is all a rather verbose way of saying that it’s very possible that you activate this plugin and nothing happens and that’s not necessarily an error. If you only ever add subresources to your Web site that are served from your own Web site, then SRI attributes cannot add any security value to your pages, so this plugin does nothing. That’s what the W3C SRI recommendation tells implementers to do, because the alternative would simply bloat your pages without any perceptible benefit.
So maybe you’re not a dunderhead, and maybe you just don’t have any resources that adding SRI attributes would be useful for.
