from Hacker News

Subresource Integrity Sample

by mondainx on 7/27/15, 7:07 PM with 7 comments

  • by zacwest on 7/27/15, 11:10 PM

    I'm curious what is the use case.

    If it's 3rd-party resources, wouldn't this make things like Google Analytics unable to be updated if they use hashes? I guess this must be mostly targeted at resource hosts who modify resources maliciously, but how often does that occur?

    If it's 1st-party resources, wouldn't SSL better handle the authenticity part? If they can modify resources you're loading but hashing, surely they can modify the resource delivering those.

  • by roller on 7/27/15, 11:37 PM

    Will chrome be using this as a cache hint? It might be an explicit way to signal a change, but the real benefit would be to dedupe every resource on the Internet. If I have a cached resource with a matching sha256, do I really need to make another request?