Subresource Integrity And Caching

20 Dec 2015

Earlier today I had an idea which I felt was somewhat obvious. I decided to ask around to see if anyone was working on it. I dropped this message into a social IRC channel I frequent:

(15:58:43) isd: So here’s a thing I want to exist: html elements which take a src or href attribute or the like should also accept an optional “hash” attribute with a value like “sha256-abc753532de…” semantically, this should be the cryptographic hash of the linked resource. Easy way to have non-expiring cached items that are independent from where you got them. I can’t be the first person who’s thought of something like this; anybody know of any existent discussion around it?

(15:59:48) isd: browser downloads one copy of a given version of jquery ever

I was promptly pointed to the work-in-progress spec for SRI. The proposed mechanism is basically identical to what I described, but they have a completely different use case in mind. I recommend reading the first chunk of that document.

I sent an email to their mailing list mentioning the alternate use case. I’m curious to see how they respond; in terms of the spec the most that would likely make sense to change would be to add a use case; I don’t think the mechanism needs to change at all.