This made me wonder why we don't just have a standard for signing content sent over HTTP. The original server would give the signature to the CDN, which would put the signature in an HTTP header, and then the browser could check that signature against the public key from the main site's SSL cert. Now you know that nobody could have gotten in the middle and sent you a malicious script, and you didn't have to encrypt an innocuous public asset.