Hello Petr,
We have pushed an updated configuration, so CORS headers are now correctly set for script files.
Regarding your implementation, I’m sorry, but I don’t see a strong solution other than hosting the JavaScript file on your own server and computing the hash through your CI/CD pipeline before deployment. This approach would also require you to frequently update the script to benefit from the latest modifications in the SDK.
Using the Last-Modified header is more of a workaround and would ultimately also require you to have a dedicated endpoint on your side to generate the new hash dynamically. While it could help your CI process determine if a new hash needs to be generated, it won’t be helpful for generating the hash on the client side, as this would go against the purpose of SRI.