SSL + CDN + Javascript
SSL is a contract to your users that the information they provide you will not be accessible to anyone else.
If you are including active content (javascript libraries, html fragments), simply prepending "https://" to make the security errors go away still breaks that contract - as the CDN is now able to inject any code of its choosing onto your webpage.
If you still want the performance benefits of CDN, this 1.5kb tool will close the security gap by using CORS to retrieve resources from supporting CDNs (e.g. cdnjs.com) and validating the contents of any resource against a known sha256 hash before allowing it to execute on the page.
Thanks to Ryan Grove for the inspiration
Installation
npm install secdn
Examples
/* Compute the sha256 hash of any string (after using escape() as tiny-sha256 only supports ASCII)*/console; /* Download a trusted resource (local script or a CORS-enabled CDN) and compute the hash signature that will be used later to verify it*/secdn; /* Download a resource from any **untrusted** CORS-enabled CDN - will throw an exception if it has been tampered with*/secdn; /* A wrapper for secdn.retrieve that will include the content as a script in the document head*/secdn; /* A wrapper for secdn.retrieve that will replace the current page's entire HTML with the supplied content*/secdn;
License
MIT