feat: add support for Integrity-Policy & SRI

[willfarrell]

Summary

Adds Subresource Integrity (SRI) support to SvelteKit — automatic integrity hashes on all framework-managed scripts and stylesheets, a new $app/integrity module for user-controlled assets, and an Integrity-Policy response header when Subresource Integrity is enabled. When Integrity-Policy is set to be strict, framework-managed assets will fail to load due to missing SRI.

What this does

New config options (top-level under kit, alongside csp/csrf):

• subresourceIntegrity: false | 'sha256' | 'sha384' | 'sha512' — enables SRI hash generation for client assets at build time
• integrityPolicy: { endpoints: ['default'] } — configures the Integrity-Policy response header destinations and endpoints

Automatic SRI on framework assets (render.js):

• When enabled, integrity and crossorigin="anonymous" attributes are added to all and / tags emitted during SSR
• The Integrity-Policy header is set on responses when an integrity map is present

New $app/integrity module:

• Exports integrity(url) — looks up the SRI hash for a Vite-processed asset URL (e.g. from a ?url import)
• Returns the hash string during SSR, undefined on the client and in dev
• Enables users to add integrity attributes to assets they load manually (e.g. via svelte:head)

Build pipeline (vite/index.js):

• After client build, computes SRI hashes for all output chunks using node:crypto and stores them in build_data.client.integrity

Built to be opt-in only.

AI disclosure: Planned by Gemini 3.1 Pro using deep thinking. Implemented by Claude Opus 4.6. Reviewed and tested by human.

---

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
  • None
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.
  • When using the cli, it asks Which packages should have a major bump?, but doesn't let me set it as a minor version.

Edits

• Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2c46656

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[svelte-docs-bot]

Preview: https://svelte-dev-git-preview-kit-15435-svelte.vercel.app/

[willfarrell]

I've been reflecting on this implementation. I feel like pulling out the automated Integrity-Policy part makes the most sense. Keeps it cleaner, simplified documentation. Let me know your thoughts.