Also, if there's a known-trusted resource, go for https://developer.mozilla.org/en-US/docs/Web/Security/Subres... - if the resource changes, it will fail to load. If unchanged, offload to a CDN, if fails, serve locally. Multiple identifiers allowed, which mitigates second preimage attacks.
