Cool! But maybe not for the BA break-in?
Just looked into SRI and that seems like some cool ass stuff. I am a bit concerned that W3 consider SHA384 as the baseline hash... seems like a bit of overkill, especially when considering mobile devices and power consumption. Maybe SHA computing has been optimized in hardware? But then again, scripts don't tend to be that big I guess.
But re-refreshing myself with the BA breakin, their core website was broken into and had their own HTML hacked to pull a script loaded from a non-related domain that kinda looked like it might belong to British Airways...
So, I'm not sure how SRI would have helped here. This wasn't a third-party hosted script that was changed. This was their first-party website hacked to load a third-party script.
The correct solution would have been to (carefully) monitor changes to critical files.. and I'm assuming that their payment pages should have fallen under PCI 11.5(a).