NoScript behavior on “Safer” security level prevents integrity checks for dynamically loaded javascript

Summary

When using Tor Browser with the “Safer” security level, dynamically loaded scripts with integrity attributes fail checksum comparison. I've also filed an issue on NoScript here https://github.com/hackademix/noscript/issues/514.

For example on https://account.protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/ or https://account.proton.me/start

None of the “sha384” hashes in the integrity attribute match the content of the subresource at “https://account.proton.me/assets/static/recovery-kit.efbca47c.chunk.js?1771429324994”. The computed hash is “TTTibN6f+qblUKL9MUS+ZJc2itb7Z+GLHbCIiknVtgjJe3etoaOzcy3xOjyEIB5H”.

Details

Since the source file is modified (somewhere along the chain) it seems that the integrity checksum gets compared with NoScript's injected content which fails the check.