Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/w3c/preload/issues/127 below:

Preload and SRI · Issue #127 · w3c/preload · GitHub

We, Chrome, have some difficulty to support script preload with SRI. Here is the story:

1. ScriptResource translates the received raw bytes into text data, and discards the raw bytes to save memory.
2. A preloaded resource wants to processing the data before matching with the actual request.
   1. We think this is OK because that is not observable from JS, and we can discard the result when it's rejected by SRI.
3. As the integrity value is provided by the actual request (<script integrity=...>), the above is not possible - the raw bytes needed to compute the hash are already discarded.

We spent months to solve the issue in our codebase, but we've given it up due to complexity the solution would bring.

I think, instead, we could ask web developers to specify the integrity value at the link element. For example,

<link rel="preload" as="script" href="/script.js">

doesn't match

<script src="/script.js"
        integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"></script>

while

<link rel="preload" as="script" href="/script.js"
      integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC">

does.

What do you think about this idea?

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4