How would one employ SRI for resources included by a .css file included over a CDN.
For example, if you include this in your HTML:
<link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous">
This will load fonts included via the CSS, such as url('../fonts/fontawesome-webfont.woff2?v=4.7.0') Of course, these fonts could be tampered with, to take advantage of some untold browser exploit, so it makes sense to force hash checking in them, too.
How can one tell a browser to perform the SRI-hash of the fontawesome-webfont.* files that are loaded via the .css?
Note: It looks like sub-sub-resource hashes are not yet supported, though I'm not sure if that's the latest.
As far as I'm aware, subresources of resources that have a valid integrity and CORS header shouldn't need anything more. At least, that seems to be the case with CSP enforced on Opera.