Subresource Integrity (SRIs) for script tags

[dgreif]

We are exploring using Remix for SSR, but we have a hard requirement on using SRIs for all script files loaded from our CDN. For now we are deploying our JS along side our server, but we will need to server from our CDN before we can actually serve production traffic.

I've spoken with @jacob-ebey about this some, and it sounds like the Scripts component is moving the direction of using esm imports rather than individual script tags. He mentioned that one possibility would be for us to implement our own version of Scripts, which could have SRIs built into it and use script tags for all files instead of using imports for the initial page load. This would be slightly less optimal in terms of loading order, but would give us the security features we need. We would also likely need a way to include the SRI for each dynamically loaded script in the manifest.

Opening this discussion to see if there are any alternate ideas, and if not, discuss what would be needed for our custom Scripts component.

[dgreif]

For our particular use case, we were able to drop the SRI requirement. Really appreciate the help from the Remix team exploring options to solve this problem.