There should be a way to verify subresource integrity

[krassowski]

Problem

It is not possible to verify SRI integrity of assets served by CDN. There was a previous discussion on it in #1.

Proposed Solution

allowCDN setting should accept only-trusted-packages value; if set to such value it only imports with a defined integrity hash should be allowed; those values could be stored as:

{
   "trustedCDNPackages": {
        "bqplot@0.5.32/lib/index.min.js": "sha384-3PzjY/W0RzwwNNzUX7xM9Yg0AMgf7lNIV9vccrG++xQd7ZniA8z26dhjQa84Whdh"
   }
}

we could be showing a window with the package code and automatically add SRI to the trustedCDNPackages if user confirms that this is ok.

I attempted to do this for requirejs in 8aa1628 and reverted in 4cf596b because it did not work reliably.

A lot of code can be reused from the above commits, but we probably should give up on requirejs altogether and use SystemJS which supports semi-unofficial-standard integrity maps (in the proposed format), see #1 (comment).

Additional context

I previously suggested that we could manually check integrity for ESM.sh (in #1 (comment)); this is doable but computing hashes is not trivial and requires https secure context in modern browsers or a new dependency; SystemJS already takes care of it so its another argument for going that route.

[krassowski]

I think that my previous attempt failed because at one point the require.js setup stopped working on my branch (fixed in fbc5b39). It should be possible to revive this effort once #28 is merge (i really should stop expanding on the change set there).