Hardening: No external resources should be embedded

[LukasReschke]

Description Considering the criticality of the stored data it is important to not embed any external resources. This makes the security of this web page reliant on an untrusted third-party provider.

A short grep on the source code shows that data is loaded for example from:

• netdna.bootstrapcdn.com
• cdnjs.cloudflare.com
• ajax.googleapis.com
• maxcdn.bootstrapcdn.com

The content loaded also includes Javascript files. This means if the pages do for any reason (e.g. malicious owner or being hacked) deliver malicious content they can execute arbitrary JavaScript in the user-context.

Proposed actions

• Recommended: Do not deliver content from external resources
• Alternatively: Implement Subresource Integrity. Note however that this is neither supported in Edge or Internet Explorer.

[amarfurt]

Refers to version that has been moved.