There is a feature is most modern browsers today called “Subresource Integrity” that is supposed to help with this. It looks something like this:
When retrieving the file, the browser first hashes it and makes sure it’s the correct hash. If it’s not, it refuses to run it. Here is the full spec: https://w3c.github.io/webappsec-subresource-integrity/
Would be nice if we could hook js-ipfs into that somehow.
A IPFS hash like
QmYtUc4iTCbbfVSDNKvtQqrfyezPPnFvE33wFmutw9PBBk which is base58, would have to converted into base64 and adding the hash function before (which means we have the hash function twice…)
Then somehow overload the loading of resources and load them from IPFS instead. Maybe something we can do with the ipfs-companion (https://github.com/ipfs/ipfs-companion) @lidel?