If it's 3rd-party resources, wouldn't this make things like Google Analytics unable to be updated if they use hashes? I guess this must be mostly targeted at resource hosts who modify resources maliciously, but how often does that occur?
If it's 1st-party resources, wouldn't SSL better handle the authenticity part? If they can modify resources you're loading but hashing, surely they can modify the resource delivering those.
At this stage it looks like it's primarily for hosting of known versions of libraries by CDNs. For example, https://code.jquery.com/jquery-1.9.0.min.js should serve out those bytes exactly, even though there's a 1.9.1.
There have been proposals for adding fallback URLs to fetch from if the primary resource fails. This way you can have your CDN and cache but fallback to a local resource too. As the spec is written currently it looks like the user will have to do this manually with an on error event. I haven't been following closely enough to see why it's taken this route. Perhaps for simplicity of the initial implementation?
If it's 3rd-party resources, wouldn't this make things like Google Analytics unable to be updated if they use hashes? I guess this must be mostly targeted at resource hosts who modify resources maliciously, but how often does that occur?
If it's 1st-party resources, wouldn't SSL better handle the authenticity part? If they can modify resources you're loading but hashing, surely they can modify the resource delivering those.