Support SRI verification on link preloads (script and style)

Allows developers to specify subresource integrity on link preloads, so that they can be properly reused. Currently, subresource integrity verification is not supported on link preloads, which means that resources with an integrity attribute cannot be preloaded without resulting in a double download. This feature honors the `integrity` attribute on link preloads for the as=script and as=style destinations.

The primary motivation for this work is that in Chrome, resources requested with subresource integrity (SRI) cannot re-use preloaded resources. This is documented in http://crbug/677022. This is because the raw bytes for a resource are discarded after the resource is encoded. Not-reusing requests from the preload cache causes a loading regression, as these resources will always be downloaded twice. A solution proposed to the W3C's Web Performance Working Group, and agreed on at TPAC 2018 by multiple vendors, was to standardize and implement support for the `integrity` attribute on link preloads. As per this feature, Chrome will support the `integrity` attribute on link preloads for as=script & as=style destinations. Support for other destinations is lower-priority, as the script and style destinations are currently the only resource types that support SRI on their own (independent of being preloaded).

Documentation

Specification

Working draft or equivalent

Status in Chromium

Blink>Loader>Preload


Enabled by default (tracking bug) in:

  • Chrome for desktop release 77
  • Chrome for Android release 77
  • Android WebView release 77

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Owner

Last updated on 2019-07-10