Integrity with Multiple Hashes

Different hash algorithms

When there are multiple hashes exist in integrity attribute separated with space, browser will use hash with strongest algorithm. In other word, hash result from sha512 is used if exists, otherwise sha384 is used. If none of them exists, hash result from sha256 will be used to validate resource.

You should be able to use querystring to control whether integrity of stylesheet has correct hash for the strongest.

• correct-integrity=sha256 to set integrity using correct hash for sha256, while it will set incorrect hashes for the rest.
• correct-integrity=sha384 to set integrity using correct hash for sha384, while it will set incorrect hashes for the rest.
• correct-integrity=sha512 to set integrity using correct hash for sha512, while it will set incorrect hashes for the rest.

Same hash algorithm

When there are multiple hashes exist in integrityattribute with same algorithm, it will only fail when all of them are incorrect matching the actual hash of resource.

This multiple hash behavior is useful when same URL is pointing to different resources based on browsers, visitor's account types, etc.

You should be able to use querystring to control whether integrity of script has one correct hash amoung all hashes in attribute.

• has-correct-integrity=true to set at least one correct hash in integrity.
• has-correct-integrity=false to set no correct hash in integrity.

Status of resources loading

• Style failed to load
• Style loaded successfully
• Script failed to load