I recently shared a notebook with a mailing list, and one of the list members objected to the “security blunder” of pulling in resources from Gist and jsdeliver. This particular person runs NoScript on Firefox, it should be said.
By design, Observable is friendly to pulling resources from other sites. Also by design, I made use of those features. What can I do to make sure my notebooks are trustworthy to visitors like the one I mentioned? It is hard to appeal to the browser’s same-origin policy, when we often use sites that set very permissive CORS headers, seemingly eroding the trust we should be seeking to build.