Don't rely on CDNs

What needs to be done?

Make Hubl serve its own assets, don't rely on CDNs.

Technical details

When loading a Hubl instance, data is loaded from

• …happy-dev.fr
• …cloudflare.com
• …coops.tech
• …hubl.world
• …jsdelivr.net
• …jspm.dev
• …jspm.io
• …lescanumeriques.fr
• …startinblox.com
• …unpkg.com

Some of wich serve all kind of JS assets that are potentially dangerous. Some people like to block untrusted domains (in my case, jsdelivr.net, unpkg.com, jspn.* are absolute no-go, the other needs a manual validation, but that's my business :)), which make the tool unusable. Can't we make Hubl serve its own assets?

Using CDNs is a good idea in an ideal world, but we speak of 2020 internet.

Test cases

Describe here the tests needed in order to validate this feature

1. Install "NoScript" extension in your browser (Chrome/Firefox, I don't know for others)
2. Visit an Hubl instance
3. Allow the current tab to load all javascript in NoScript
4. Open NoScript widget
5. There is no CDNs domain contacted to get assets.

Links

1. https://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/
2. https://videojs.com/blog/unauthorized-modification-of-video-js-cdn-files/
3. https://www.securityweek.com/new-attack-abuses-cdns-spread-malware
4. ...