I'm curious what is the use case.<p>If it's 3rd-party resources, wouldn't this make things like Google Analytics unable to be updated if they use hashes? I guess this must be mostly targeted at resource hosts who modify resources maliciously, but how often does that occur?<p>If it's 1st-party resources, wouldn't SSL better handle the authenticity part? If they can modify resources you're loading but hashing, surely they can modify the resource delivering those.
Will chrome be using this as a cache hint? It might be an explicit way to signal a change, but the real benefit would be to dedupe every resource on the Internet. If I have a cached resource with a matching sha256, do I really need to make another request?