It would be great to use subresource integrity to protect a forum from potential malicious changes that hosted script.
It would also be great to protect the stylesheets but that's sadly not possible as the whole interest of using an hosted version here is to change it at will. At least stylesheets are not as dangerous as scripts (yet).
I computed the missing hash but sadly it doesn't work because that CDN hasn't configured the correct CORS header...
<script defer src="https://code.getmdl.io/1.3.0/material.min.js" integrity="sha384-KxJ0gpu9LJdUtdV6oe5/l3PSF37awRaWGFhnKt8hq6vS3/Wlzy1YPuJzIwg/ljkW" crossorigin="anonymous"></script>
If somebody could get those material guys to fix their CDN (and update their example "hosted" section to use subresource integrity) that would be better for everyone. Is it a project backed by Google ? I would be very surprised they overlooked that if it's them ?