[Feature Request] Support sub-resource integrity (SRI) for assets when `serve_locally=False`

[mkhorton]

Is your feature request related to a problem? Please describe.

When serve_locally=False, scripts are retrieved from unpkg.com. From the example in the documentation, it looks like there is no subresource integrity information included, so if the CDN were to serve a malicious file, it would be run without complaint.

Describe the solution you'd like

Since dash has full control over the component build and publishing process, it seems like it would be possible to generate the hashes required for SRI and ensure these are included.

Describe alternatives you've considered

None.

Additional context

I tried to see if this issue had already been raised but couldn't find anything. I saw an issue in dashR, but that was related to explicitly including SRI in external_scripts and not in the component bundles delivered by serve_locally=False. It's also possible this is already included, and I've misunderstood!

[mkhorton]

Thinking about this more, it seems like this would have to be included here, and presumably the SRI hash generated during the npm run build and the __init__.py updated accordingly?