As reported in <https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/comment-page-1/#comment-18803>, SRI does not seem to work with a blog URI. I have reproduced this error with the attached JS file, as run in a scratchpad on e.g., example.com The JS executes fine when I comment the line out, which adds the integrity attribute.

The comment author's blog post discusses caching scripts in localStorage and reloading them using blobs or data URIs with integrity. SRI is used to prevent XSS attacks from becoming persistent. I could read and understand the post quite well using Google Translate. The summary is that Data URI don't work, because Chrome treats them cross-origin. Blobs work in Chrome but fail to load in Firefox. See the table at <https://imququ.com/post/enhance-security-for-ls-code.html> for more.

(In reply to Frederik Braun [:freddyb] from comment #1) > The comment author's blog post discusses caching scripts in localStorage and > reloading them using blobs or data URIs with integrity. SRI is used to > prevent XSS attacks from becoming persistent. > > I could read and understand the post quite well using Google Translate. > The summary is that Data URI don't work, because Chrome treats them > cross-origin. Blobs work in Chrome but fail to load in Firefox. See the > table at <https://imququ.com/post/enhance-security-for-ls-code.html> for > more. I am the author of this post. And I had sent a mail to public-webappsec@w3.org asking this question: > While testing the Chrome and Firefox's implementation of SRI, I found something interesting. > > 1) Test SRI with data URIs: > > <script crossorigin="anonymous" integrity="sha256-0URT8NZXh/hI7oaypQXNjC07bwnLB52GAjvNiCaN7Gc=" src="data:application/x-javascript,alert(%22hello%20world!%22);"></script> > > 2) Test SRI with Blob URL: > > <script> > var blob = new Blob(['alert("hello world!");'], {type: "application/x-javascript"}); > var blobUrl = URL.createObjectURL(blob); > document.write('<script crossorigin="anonymous" integrity="sha256-0URT8NZXh/hI7oaypQXNjC07bwnLB52GAjvNiCaN7Gc=" src="'+ blobUrl +'"></sc' + 'ript>'); > </script> > > In Chrome : Version 46.0.2490.33 beta (64-bit) > > 1) data URIs : Throw an exception. > Subresource Integrity: The resource 'data:application/x-javascript,alert(%22hello%20world!%22);' has an integrity attribute, but the resource requires the request to be CORS enabled to check the integrity, and it is not. The resource has not been blocked, but no integrity check occurred. > > 2) Blob URL : Everything is OK. > The script will be executed with correct hash, won't be executed with incorrect hash. > > In Firefox : 44.0a1 (2015-09-23) > > 1) data URIs, 2) Blob URL : The script won't be executed, both with correct hash and with incorrect hash. > > May the SRI spec give some specific recommendations for this? And this is a reply from Anne van Kesteren: > Only the blob URL should work per Fetch, to which SRI defers. (That is > because data URLs for <script> get tainted and SRI cannot poke into > tainted responses.)