Will chrome be using this as a cache hint? It might be an explicit way to signal a change, but the real benefit would be to dedupe every resource on the Internet. If I have a cached resource with a matching sha256, do I really need to make another request?
I'm curious what is the use case.
If it's 3rd-party resources, wouldn't this make things like Google Analytics unable to be updated if they use hashes? I guess this must be mostly targeted at resource hosts who modify resources maliciously, but how often does that occur?
If it's 1st-party resources, wouldn't SSL better handle the authenticity part? If they can modify resources you're loading but hashing, surely they can modify the resource delivering those.