The core of this spec is low-risk: there's real value in allowing authors to verify the integrity of resources they download, and if we can get the caching semantics right (from a security/privacy perspective), there might be solid performance wins. SRI allows an author the opportunity to lock her site down to a specific set of resources, mitigating the risk that (for instance) a compromised CDN server can execute malicious code on her site. Websites are amalgams of resources loaded from a variety of sources, only some of which are under the control of the site's author. In a nutshell, metadata inlined into HTML elements allows the browser to determine whether the resource that was downloaded matches the resource the page's author expected to download.
Contact Integrity defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.
