The content hashing mechanism aims at improving the browser caching performance and providing a means for website to enforce the integrity of their external resources.

External elements update

Second image collision attack

An attacker can potentially create a hash collision between a specially crafted file and a well known file if the hashing algorithm is weak. MD5 must be avoided at all cost.

Integrity

Using the hash as an integrity mechanism is tricky because it can be delivered over HTTP. In this case a Man in the Middle attack can be performed. Communicate this limitations to user and developer is tricky.

Previous work on the subject:

• http://wiki.whatwg.org/wiki/Link_Hashes
• http://www.gerv.net/security/link-fingerprints/