Potentially insecure CDN URL override mechanism for custom widgets

[vivek1729]

The frontend code for 3rd party widgets is typically hosted on public CDNs and retrieved by the WidgetManager via HTTP calls. Current implementation for custom widget support provides the following mechanism to override the base CDN URL for fetching widgets:

<script data-jupyter-widgets-cdn="https://cdn.jsdelivr.net/npm" src="bundle.js"></script>

The data-jupyter-widgets-cdn attribute on a script tag is based off the HTML Manager example in the ipywidgets project. This extensibility point on the DOM can potentially allow a user to override the base CDN URL to a malicious link and might open up avenues for scripting attacks.

We'd want to better understand this design choice, investigate and address this security issue for the jupyter-widgets package.