One thing in this context is that it is basically impossible for a website to check the integrity of an external (js) resource without loading it. This is a consequence of the web security model.
Its basically impossible to get the contents of a .js file without executing it, say for checksum verification (at least without CORS, and even with, you might trigger an additional download, I haven't tested it). But it's trivially easy to include an external .js in the page, with the same access rights as directly embedded script (including access to credentials).
That's what we're used to, but it seems completely backwards to me. I would be much better IMO if a script could make arbitrary HTTP requests to other sites - but without having access to those sites' credentials. (Remember in the 2000s when "mashups" were all the rage? I spent a weekend parsing some data source in javascript to display it on a map, just to realize that what worked locally didn't work over http. Imagine the disappointment.)
What's also missing is a way to run an external script sandboxed, or in a sub-interpreter. There ought to be a way to restrict what banner ads or font loaders can do to my page.
Web pages can make requests to other origins (GET image, script, XHR, POST to iframe, XHR). CORS allows you to read the response. But what you're asking would probably be hard to transition the whole web to without too much spam and DOS'ing.
The sandboxing for an external script you want already is feasible with an iframe with a different origin.
Its basically impossible to get the contents of a .js file without executing it, say for checksum verification (at least without CORS, and even with, you might trigger an additional download, I haven't tested it). But it's trivially easy to include an external .js in the page, with the same access rights as directly embedded script (including access to credentials).
That's what we're used to, but it seems completely backwards to me. I would be much better IMO if a script could make arbitrary HTTP requests to other sites - but without having access to those sites' credentials. (Remember in the 2000s when "mashups" were all the rage? I spent a weekend parsing some data source in javascript to display it on a map, just to realize that what worked locally didn't work over http. Imagine the disappointment.)
What's also missing is a way to run an external script sandboxed, or in a sub-interpreter. There ought to be a way to restrict what banner ads or font loaders can do to my page.