Support SRI verification on link preloads (script and style)
Add sub resource integrity verification to link preloads so that resources with an integrity attribute can be preloaded with causing a double download. This feature honors the integrity attribute on link preloads for the as=script and as=style destinations.
The primary motivation for this work is that in Chrome, resources requested with subresource integrity (SRI) cannot re-use preloaded resources. This is documented in http://crbug/677022. This is because the raw bytes for a resource are discarded after the resource is encoded. Not-reusing requests from the preload cache causes a loading regression, as these resources will always be downloaded twice. A solution proposed to the W3C's Web Performance Working Group, and agreed on at TPAC 2018 by multiple vendors, was to standardize and implement support for the `integrity` attribute on link preloads. As per this feature, Chrome will support the `integrity` attribute on link preloads for as=script & as=style destinations. Support for other destinations is lower-priority, as the script and style destinations are currently the only resource types that support SRI on their own (independent of being preloaded).
Status in Chromium
Enabled by default (tracking bug) in:
- Chrome for desktop release 77
- Chrome for Android release 77
- Android WebView release 77
Consensus & Standardization
Last updated on 2019-07-31