Subresource integrity

[omgitstom]

Since we are hosting this on Stormpath CDN, we should disclose subresource integrity for individual versions of the widget

[nbarbettini]

From my understanding, this should be pretty easy to accomplish. The SRI hash can be generated with:

cat stormpath.min.js | openssl dgst -sha384 -binary | openssl enc -base64 -A

Here's what we need to do:

• [ ] Test to make sure CloudFront has the proper CORS attributes to support this
• [ ] Add a step to the publish process that calculates the SHA-384 (or 512) hash of stormpath.min.js for the newly-tagged version
• [ ] Update the demo page with this hash and sanity check if needed
• [ ] Publish the official hashes for each version in the README. We can probably automate this with a simple script.

[nbarbettini]

I think SHA-384 would make sense for the hash length, because it's as secure as SHA-512 and requires less computational work for the browser.