<script src="https://example.com/example-framework.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous"></script>
It's primarily useful for checking the integrity of files as served by a CDN (which I believe rempe.us/diceware is based on PR comments mentioning gh-pages). That way your trust focuses primarily on what index.html
is served to your browser as at least any directly loaded JS will be validated as the same as you expected to be served based on the hashes.
The downside of SRI for a website that's entirely statically defined is that it means any time you update any JS code that is tagged with a hash you must also make sure to update the hash. That probably means adding a step in the development process for anyone who edits any JS as they will need to update the appropriate hash(es). Having said all of this, I am willing to pull together a Python script that you can point at an HTML file and have it print out when the hashes are outdated and what the new hash values should be (I would make a new GH project for this and license it under Apache 2 if you wanted to embed a copy in this repo). There are also SRI-generating tools for things like Gulp if that's how you would want to do your workflow.