That can mitigate the damage, but any user with a browser that doesn’t support it will still be compromised.
If it’s an important part of the site, it might make the failure more obvious in newer browsers.. but small libraries used on only some pages might not be noticed quickly... so you’d probably also want to test all of your resources regularly.. and even then the time between those test runs may allow some users to be compromised.
So using it is a good idea but it’s not a fix for the actual problem.
It is basic available for every browser except IE and Opera Mini, so I think it is user's problem to use an old browser that don't support a wide supported security feature.
Might as well simply block IE users outright at this point; it's just not worth the risk (and classic edge is close). It's probably better user experience to be upfront about issues than pretend you actually test and support all those old versions (unless you do... but why?)
Your own link says 94.79% coverage. So 1 in 20 users would be compromised.. on a large site that could be millions of users.
And your response is: "that's their problem" ??
I hope you're not in charge of any important or large sites or anything that handles financial data (ecommerce, etc)... because this isn't a good attitude when it comes to security.
By the same logic, TLS 1.2 isn't a solution to insecurities in 1.1 because only 98% of users currently support it.
It's perhaps worth accepting there's no silver bullet here but a combination of initiatives like SRI is still worthwhile to help reduce the attack surface for the majority of users?
Simply enabling TLS 1.2 is not a fix for problems in 1.1. You must also disable 1.1 in your server config. It's both actions that fix the insecurities: first enabling a secure method of communication; and then cutting off anyone trying to communicate insecurely. If you simply enable 1.2, but leave 1.1 working, then you haven't fixed the problem.
SRI is the equivalent of just enabling 1.2. You haven't disabled access to browsers that dont support SRI.
You 2nd sentence sounds remarkably similar to my first post that maple responded to: SRI can help mitigate the damage, but it cant fix it.
You seem confused about the difference between mitigation and fixing.
Mitigation: the action of reducing the severity, seriousness, or painfulness of something.
Key work there is reducing. A fix actually eliminates the issue.. like enabling 1.2 + disabling 1.1 eliminates the potential for communicating insecurely.
It's important to understand the difference because anything short of actually fixing the issue leaves some users exposed to the vulnerability.
