HTML Subresource Integrity

Not in this spec, but Content Security Policy v2 gets a bit further using a combination of the hash-source and report-uri fields. The error report to the server is explicitly specced as a non-blocking background request though, so any fallback will still end up being hacky.