[mastahyeti]

This isn't a concern with our implementation because a hash of the asset bundle is also included in the URL. This is a pretty common cache-busting technique for static assets and lets you send more aggressive cache directives to the browser.

[bsimpson]

D'oh; that makes sense.

Maybe I should refrain from posting my gut reactions (or at least wait until I'm awake first). =)

[skrebbel]

No, it was a very good point. Not everyone adds hashes to filenames, and to me it seems that you're right in that weird caching can break pages that way.

If indeed this is the case, subresource integrity needs a big warning sign about that. For me, your comment was that warning sign, so please keep posting while you're not awake yet.

[pdkl95]

Why would it need a warning? If the HTML provides a new integrity="" hash, then any cached version obviously wouldn't pass. Subresource integrity makes it easier to determine if a cached file has expired. The file can be permanently cached for any HTML that requests the same hash value(s).

[cbr]

The browser could do something with this, but I believe it doesn't. Instead the algorithm is just:

1) Load the resource specified in src (from network or cache)

2) If there's an integrity attribute, verify its hash