@drak having just overviewed the specification: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity I can say it's not enough: the document needs to implement PKI, and sign external resources with it's Document key, not just signing public key that endorses main document: Basically a tree of signatures. Hashes only say files/elements exist.