Specifying the hash of a script from an untrusted host

This feature was proposed by the W3C as Subresource Integrity. As of December 2015, this recommendation has been implemented by Chrome 44 and Firefox 43.

EXAMPLE 1
<link rel="stylesheet" href="https://site53.example.net/style.css"
      integrity="sha256-vjnUh7+rXHH2lg/5vDY8032ftNVCIEC21vL6szrVw9M="
      crossorigin="anonymous">

There is a superficially similar feature in Content Security Policy Level 2, but it only restricts the contents of inline <script> and <style> elements, not external ones.