Enable SRI only for same origin and CORS content.

Source/core/html/HTMLLinkElement.cpp

Index: Source/core/html/HTMLLinkElement.cpp
diff --git a/Source/core/html/HTMLLinkElement.cpp b/Source/core/html/HTMLLinkElement.cpp
index 56a52ca82f040342dc4ddb626f679584186614c5..0e273a80602009634b1723ffdd4b18552651c107 100644
--- a/Source/core/html/HTMLLinkElement.cpp
+++ b/Source/core/html/HTMLLinkElement.cpp
@@ -509,11 +509,15 @@ void LinkStyle::setCSSStyleSheet(const String& href, const KURL& baseURL, const
         return;
     }
 
-    if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_owner, cachedStyleSheet->sheetText(), KURL(KURL(), href), cachedStyleSheet->mimeType())) {
-        m_loading = false;
-        removePendingSheet();
-        notifyLoadedSheetAndAllCriticalSubresources(true);
-        return;
+    if (cachedStyleSheet->isCORSNeededAndFailed() && m_owner->fastHasAttribute(HTMLNames::integrityAttr)) {
+        document().addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "Cannot enforce integrity on non-CORS enabled resource."));

[Mike West, 2015/02/26 08:44:53]

Same question as I had with script: should we just allow the request? I don't
think that's actually what the spec says (e.g.
https://w3c.github.io/webappsec/specs/subresourceintegrity/#is-resource-eligi...
returns false, so
https://w3c.github.io/webappsec/specs/subresourceintegrity/#does-resource-mat...
returns false in step 2.

[jww, 2015/03/06 02:16:42]

Agreed as per my response in ScriptLoader.cpp. Fixed.

+    } else {
+        if (!SubresourceIntegrity::CheckSubresourceIntegrity(*m_owner, cachedStyleSheet->sheetText(), KURL(KURL(), href), cachedStyleSheet->mimeType())) {
+            m_loading = false;
+            removePendingSheet();
+            notifyLoadedSheetAndAllCriticalSubresources(true);
+            return;
+        }
     }
 
     // Completing the sheet load may cause scripts to execute.