Feature request: W3C SubResource Integrity support

[jayaddison]

SubResource Integrity (acronym SRI) is a W3C recommendation that provides web publishers with a way to add the hash checksums of content referenced from their HTML pages, by adding an integrity attribute to the relevant HTML elements.

The attribute value contains one or more hyphen-joined conjunctions of a hash algorithm (such as sha256) and a base64-encoded hash of the content of the linked resource.

When multiple of these algorithm-and-hash conjunctions are present, then a space is used to separate each atomic conjunct.

Furthermore, there is logic in the specification that says that stronger algorithms take precedence over weaker algorithms - but it is up to the user agent to provide the ranking. So if we have an integrity attribute with value sha256-x sha256-y sha384-z, then -- assuming that sha384 is stronger than sha256 -- we should ignore the x and y hash values entirely and only validate fetched content against the sha384 hash.

However, within equal-strength algorithms, the logic is that any of the equal-strength hashes are permitted. So if we removed sha384-z from the previous example, then either x or y are valid base64-encoded SHA256 values for the referenced content.

The specification is relatively strict in that it suggests that integrity check failures should prevent the referenced resource from being loaded by the user agent.

There are no doubt other relevant details in the W3C specification; this is my attempt to summarize what I understand to be the most important aspects of the feature from my understanding of it so far.

[rkd77]

It should not be to hard to implement, but first need to have some js code which works. Code which modifies DOM tree or calls document.write does not work well yet, so it is too early to add such features like this one.