Add 'hash' attribute to elements that have a 'src' attribute in order to allow for URI independant cacheing

[schweini]

(Sorry of this should be a PR - first time in this repo.)

Since reliance on CDNs for e.g. external Javascript files is bad, I recommend that all tags that have a 'src' attribute should also have an optional 'hash' attribute.

The author of the HTML file could then specify the e.g. SHA256 hash of the file required. The browser can then check if any file in it's cache matches that hash, and use a local copy, if available.

If there's a cache hit, this would save one HTTP request and would also allow the browser to use a file downloaded from some other URI, even with another filename, as long as the contents match.

This would, in turn, essentially resemble a distributed CDN for many often-used files, like the popular Javascript files and webfonts, etc.

[pshaughn]

Hashes like this are already in use for Subresource Integrity (https://w3c.github.io/webappsec-subresource-integrity/), but in that context they don't replace the URL as the cache key, and the invalidation they provide happens separately from cache invalidation.

A problem with the idea of caching files by hash is that caches are partitioned per-site, and they're per-site for good reasons: script running on one site shouldn't be allowed to probe the cache for arbitrary files from another site, for the same reason that the :visited CSS style needs to be hidden from script.

It might still make sense for just certain files, selectively, to opt out from per-site caching? Those might even turn out to be the same files that #8143 is about.

[domenic]

Unfortunately this isn't workable for privacy reasons: https://hillbrad.github.io/sri-addressable-caching/sri-addressable-caching.html#history_leaks . (The document as a whole is about this idea you're proposing, so maybe it'd help to read it from the beginning.)

I'll close this, but happy to discuss more in the closed thread if necessary.