Cross-Domain JavaScript Source File Inclusion "solution" question...

[Ian]

I'm trying to think of how best to solve this particular vuln...

The solution that Zap provides for this particular vulnerability is:

"Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application."

What does "trusted sources" mean in this context?  Isn't the problem here when a trusted source gets compromised and start to serve malicious content?  Does "trusted source" mean a source known not to be easily compromised?  It's rare for one company to expose their security standing to another for vetting purposes, so the best I can think of here is that this is supposed to say "known sources?"  I.E. I'm having the user pull something from google.com not a typo version of that domain?

Also, what is meant by "sources can't be controlled by end users of the application."  If a user is using a web browser with F12 open, the sky's the limit as far as alteration of the source, correct?  I mean, they could alter the javascript directly in the browser after being downloaded from a trusted source too, right? Are there ways to prevent this?

I thought this particular vuln was more about protecting the user then it is protecting against the user?

As far as addressing this vuln, the description that Zap gives is this:

"The page includes one or more script files from a third-party domain."

I know that one method we can use is to hash the javascript and include that value in the html that requests the download -- this allows the browser to verify that what's coming in what is to be expected.  I assume the vuln scanner looks for this and will not trigger if all sources have a hash?

Otherwise, to make the scanner happy, one would need to download all the content and serve it locally (or do some type of proxy cache)?  Are there other options?  Can one "jail" javascript? Is there an selinux for javascript?