Compatibility with Subresource Integrity (SRI) in consuming Paragon CSS via external CDN

[adamstankiewicz]

As part of a security review of the public, open-source CDN jsDelivr that 2U/edX.org frontends intend to use to consume Paragon's design tokens external CSS, it was asked we support Subresource Integrity (SRI), if possible.

However, using CDNs also comes with a risk, in that if an attacker gains control of a CDN, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely)

Subresource Integrity enables you to mitigate some risks of attacks such as this, by ensuring that the files your web application or web document fetches (from a CDN or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.

<link
  href="https://example.com/example-framework.css"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous"
  rel="stylesheet"></link>