Because it's Facebook, I can't say that they aren't planning that.
But if anyone else mentioned this tech, I would assume it was benign. Subresource Integrity (https://developer.mozilla.org/en-US/docs/Web/Security/Subres...) is primarily aimed at servers proving to clients that their code is unaltered, not the other way around. I haven't personally tried it before, but I can't imagine why extensions wouldn't be able to override integrity strings or remove them from script elements.
For WhatsApp I'm not sure I see the point necessarily, but it's an understandable goal for Open Source and offline webapps or for apps that use 3rd-party CDNs. The main problem for personally hosted code is that the integrity string is also getting served from the server, so there's no reason it can't also be altered if the server that gives the HTML is compromised.
In theory with some tweaking and a way to pin integrity strings in a user-controlled way (which an extension could do I suppose) it could be a step towards allowing users to know when a PWA is being updated, which would be helpful for some security models. In its current state it's fairly niche and I'm not sure how useful the standard is outside of securing CDN requests.
Although why that would matter to WhatsApp, :shrug: It does feel weird that Facebook would be leading that push.
But if anyone else mentioned this tech, I would assume it was benign. Subresource Integrity (https://developer.mozilla.org/en-US/docs/Web/Security/Subres...) is primarily aimed at servers proving to clients that their code is unaltered, not the other way around. I haven't personally tried it before, but I can't imagine why extensions wouldn't be able to override integrity strings or remove them from script elements.
For WhatsApp I'm not sure I see the point necessarily, but it's an understandable goal for Open Source and offline webapps or for apps that use 3rd-party CDNs. The main problem for personally hosted code is that the integrity string is also getting served from the server, so there's no reason it can't also be altered if the server that gives the HTML is compromised.
In theory with some tweaking and a way to pin integrity strings in a user-controlled way (which an extension could do I suppose) it could be a step towards allowing users to know when a PWA is being updated, which would be helpful for some security models. In its current state it's fairly niche and I'm not sure how useful the standard is outside of securing CDN requests.
Although why that would matter to WhatsApp, :shrug: It does feel weird that Facebook would be leading that push.