Properly handle crossorigin resources #18
Description
If an external resource is included in a site with crossorigin and integrity attributes, e.g. like this:
page.includeJSLibs {
jQuery = https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js
jQuery {
external = 1
integrity = sha512-894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ==
crossorigin = anonymous
}
}
then it is pushed as Link: <https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js>; rel=preload; as="script". However, that resource is not actually preloaded, as this triggers a warning (at least in Firefox and Chrome) which reads similar to this: "A preload for 'https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js' is found, but is not used due to an integrity mismatch."
IMHO such resources should either be discarded by the extension (i.e. not pushed), or the crossorigin and integrity information should be included in the Link header: Link: <https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js>; rel=preload; as=script; crossorigin=anonymous; integrity=sha512-894YE6QWD5I59HgZOGReFYm4dnWc1Qt5NtvYSaNcOP+u1T9qYdvdihz0PPSiiqn/+/3e7Jo4EaG7TubfWGUrMQ==. According to this issue that seems to be supported at least in some browsers now.