TinFoil Security on Subsource Integrity
W3C chat between Joel Weinberger from Chromium and Gervase Markham from Mozilla talking about Subresource Integrity
I've no idea whether this is something a website owner can implement on his or her own. Does it need the cooperation of the asset provider?
The only outside assets I uses are Google fonts. I asked Nik Black from Tinfoil Security, and he answered this way:
The webmaster can calculate the hash independent of the asset provider yes, we usually recommend https://www.srihash.org/ but it looks like they don't handle the Google web font resources correctly. Subresource Integrity Protection is still relatively new, so support for it is still catching up.