ÁS ebben le is van írva, hogy ez nem ad semmilyen securityt: non-secure contexts remain non-secure.
És emiatt ezt az egészet csak HTTPS felett ajánlja a W3C. Nem hülyék ám ők sem.
5.1. Non-secure contexts remain non-secure
Integrity metadata delivered by a context that is not a Secure Context such as an HTTP page, only protects an origin against a compromise of the server where an external resources is hosted. Network attackers can alter the digest in-flight (or remove it entirely, or do absolutely anything else to the document), just as they could alter the response the hash is meant to validate. Thus, it is recommended that authors deliver integrity metadata only to a Secure Context. See also Securing the Web.