Script not blocked when integrity attribute is malformed ?

[MarchantLucas]

Knowing that subresource integrity is a security feature, I would expect that when the value of the attribute "integrity" is malformed, the script/stylesheet supposed to be loaded would be blocked. But if I forget to specify the algorithm (shaXXX) and write anything for the hash value(correct or false one) then the integrity attribute is ignored and the ressource is loaded. Why did you choose this implementation ?

As an example : in this program, the ressource won't be blocked :

<link rel="stylesheet"
      href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css"
      integrity="not_a_good_hash"
      crossorigin="anonymous">


<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js"
        integrity="Also_Not_A_GOOD_HASH"
        crossorigin="anonymous"></script>

[annevk]

While there's room for improvement here (see #84), there's reason to ignore unrecognized hash algorithms: https://w3c.github.io/webappsec-subresource-integrity/#agility.

Perhaps it would have been worth it to consider the case of it not containing any supported hash algorithms in a special manner, but that might also make agility more cumbersome in practice.

[MarchantLucas]

Ok, so it's an efficiency/compatibility-oriented choice ? Thank you Anne !