I'd like to have a scheme for referencing secure third-party content that includes hashes.
All that's really needed is a convention that a URL parameter of the form "example.com/.../sha3hash-nnnnnnnnn" indicates the secure hash of the page to be served. Cache systems can cache such pages, but if they change them in any way, the change can be detected.
This removes the need to encrypt publicly available static information. It doesn't require a secure certificate.
Most importantly, it means you can use a content-delivery network without letting it have MITM privileges on secure content.
HTTPS Everywhere means Cloudflare gets to see all your users's passwords. That's not a good thing.
Encryption makes sense even for publically available static information. You're not just protecting the contents of the information; you're protecting the knowledge that that specific user accessed it.
And I certainly wouldn't advocate giving a CDN permission to MITM your own domain. Give it its own dedicated domain, serve content from that domain via HTTPS, and don't let that domain have any user-specific information.
This is the price of "HTTPS Everywhere" security theater.
HTTPS everywhere isn't security theater. It prevents ISPs and coffee shop wifi snoopers from intercepting unencrypted traffic. Combined with certificate pinning et al., it also protects users against those governments that don't control the CDN that serves the HTTPS traffic.
It's not like CloudFlare can't see passwords if you don't use HTTPS. I don't think it's security theater, because CloudFlare being compromised is only one out of a large class of potential attacks.
That said, I fully agree that it would be nice to not have to trust CloudFlare.
All that's really needed is a convention that a URL parameter of the form "example.com/.../sha3hash-nnnnnnnnn" indicates the secure hash of the page to be served. Cache systems can cache such pages, but if they change them in any way, the change can be detected.
This removes the need to encrypt publicly available static information. It doesn't require a secure certificate. Most importantly, it means you can use a content-delivery network without letting it have MITM privileges on secure content.
HTTPS Everywhere means Cloudflare gets to see all your users's passwords. That's not a good thing.