We're going through this process at the moment of trying to get as many of our external scripts configured with SRI checks, which is easy enough for the devs to stick in but the most common push-back we're having is that a tonne of script sources do not have CORS switched on, which means you can't implement SRI on those scripts. Sure you could host the script locally but then that defeats the point of CDNs. In other instances, some scripts are not versions (plenty of Google ones) so the dev's don't want to risk sticking SRI on for the site to break when the host updates the script. Any thoughts on how to handle these situations?