Load demo page libs via CDN with subresource integrity

src/app.js

@@ -75,7 +75,7 @@ app.use(function *(next) {
     this.set('Public-Key-Pins', 'pin-sha256="' + config.server.httpsKeyPin + '"; pin-sha256="' + config.server.httpsKeyPinBackup + '"; max-age=16070400');
   }
   // CSP
-  this.set('Content-Security-Policy', "default-src 'self'; object-src 'none'");
+  this.set('Content-Security-Policy', "default-src 'self'; object-src 'none'; script-src 'self' code.jquery.com; style-src 'self' maxcdn.bootstrapcdn.com; font-src 'self' maxcdn.bootstrapcdn.com");
   // Prevent rendering website in foreign iframe (Clickjacking)
   this.set('X-Frame-Options', 'DENY');
   // CORS

src/static/demo.html

@@ -8,8 +8,8 @@
 
     <title>Mailvelope Key Server</title>
 
-    <link href="css/bootstrap.min.css" rel="stylesheet">
+    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
-    <link href="css/jumbotron-narrow.css" rel="stylesheet">
+    <link rel="stylesheet" href="css/jumbotron-narrow.css">
   </head>
 
   <body>
@@ -94,7 +94,7 @@
 
     </div> <!-- /container -->
 
-    <script src="js/jquery.min.js"></script>
+    <script src="https://code.jquery.com/jquery-3.0.0.min.js" integrity="sha256-JmvOoLtYsmqlsWxa7mDSLMwa6dZ9rrIdtrrVYRnDRH0=" crossorigin="anonymous"></script>
     <script src="js/demo.js"></script>
 
   </body>

src/static/index.html

@@ -8,8 +8,8 @@
 
     <title>Mailvelope Key Server</title>
 
-    <link href="css/bootstrap.min.css" rel="stylesheet">
+    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
-    <link href="css/jumbotron-narrow.css" rel="stylesheet">
+    <link rel="stylesheet" href="css/jumbotron-narrow.css">
   </head>
 
   <body>