[mnarayan01]

> 3rd parties should version their JavaScript resources with a version number in the URL

I mean yes this is true, but it seems almost totally orthogonal to SRI (which is aimed at security AIUI), particularly given you can give more than one hash for a particular resource. If for some reason a third-party can't use fingerprinted URLs, they can still update the resource provided they give "sufficient" advanced notification of the new fingerprint to clients.

> And this should be a manual process because automating it would defeat the whole point of SRI.

Obviously it should be offline/write-once, but unless you're reviewing the actual assets as well I'm not sure I see the need to avoid automation.

[asaph]

Without versioned assets, both the 3rd and 1st parties would need to make the update at the exact same time or else the enforced SRI would cause failures. This kind of tight coordination is impractical or even impossible. Versioned assets allow you to deploy updates when using SRI without breaking anything.

The need to avoid automation stems from the fact that an automated process which simply detects that a change has been made and blindly updates the SRI attribute with a new hash would let a malicious code update through, which normally SRI would have blocked. This situation is no different than not using SRI at all.

[mnarayan01]

You can specify multiple digests for an asset, so a non-versioned one can be updated sans downtime:

1. Provider informs clients that a new version with digest X will be deployed.

2. Clients add the new digest in addition to the current digest.

3. Provider switches to new asset version.

4. Clients remove old digest (optional).

Versioned assets are obviously better unless you're in a really weird situation, but SRI doesn't particularly require them.

[asaph]

Thank you for letting me know that you can use multiple hashes in SRI. I didn't know you could do that.