[quacksilver]

I wish popular browsers would get together and release an update that says:

- After version X we are displaying a prominent popup if a script isn't loaded with a hash

- After version Y we blocking scripts loaded without hashes

They could solve this problem in a year or so, and if devs are too lazy to specify a hash when loading scripts then their site will break.

[bastawhiz]

Literally every website that uses JSONP will stop working if that happened. This would break the web in fundamental ways. If we're going to break the web in fundamental ways, resource integrity is hardly among the things that I'd be interested in changing.

[quacksilver]

Why would people choose JSONP over CORS?

There are security risks with JSONP (a hack to bypass same-origin policy), and the successor (CORS) has been around since 2009, so phasing it out may be a good thing.

https://dev.to/benregenspan/the-state-of-jsonp-and-jsonp-vul...

[account42]

Good. JSONP requests to a domain you don't control are a security nightmare.

[TZubiri]

I don't think it's just laziness. There's use cases where the libraries are designed to be updated automatically.

Also some of the tracking scripts I don't think are strictly static content, maybe their strategy to fingerprint browser involves sending different shit to different users.

[quacksilver]

If you are the one serving the website, then you are the one generating the hash. If you want to serve different stuff then you could dynamically generate the hash for that different stuff rather than hard code it statically.

Specifying a script hash says that you as the owner of that site agree to load the content only if it matches the hash. Presumably you trust the content enough to serve it to your users.