How secure are CDNs for delivering jQuery?

Question

We build sites that have a public (non-secured) area and secured (delivered over HTTPS) area and we use jQuery library.

Recently I suggested we use Google CDN for jQuery

Answer 1

Is serving jQuery from CDN really less secure then serving it from the server itself?

Yes. If it's an external resource it's always less secure. How could you possibly be sure you know what your customers are really getting if you don't own the source code? And if you're not familiar with CloudBleed, you may want to read up before you continue.

If you do need to load jQuery from an external CDN for performance reasons, please ensure you're using Subsesource Integrity. More information on SRI can be located on MDN.

Lastly, if loading jQuery securely via CDN is a concern due to website performance and the creation of a Single-Point of Failure (and it should be a concern if you're at all familiar with the work of Steve Souders), you're almost certainly better off from a security and performance perspective moving all of your scripts in-house and loading them asynchronously in parallel using Fetch Injection. Just be sure, if you do, you're aggressively browser caching. And if you serve a global audience, make sure you're edge caching those assets.