#319 MathJax CDN is shutting down

[Dmitry Shachnev]

The default MathJax URL used by docutils HTML writers is https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS_CHTML.

However, according to https://www.mathjax.org/cdn-shutting-down/:

• This CDN has been shut down;
• The recommended alternative is using https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js however there is no support for unversioned/latest URLs;
• There is a temporary redirect script from the old CDN to the new CDN, but it will be shut down later. The MathJax developers recommend “switching to another CDN provider or your own copy of MathJax as soon as possible”.

[Günter Milde]

Thank you for the info.
Shall we change to the recommended alternative?

+1 simple,
+1 works out of the box

-1 needs regular update for new MathJax versions
-1 no terms of use
-1 3rd party javascript, how safe is this?

Alternatively, we could leave the MathJax URL without default

-1 fails unless the user provides a URL
+1 securitiy risk (3rd-party javascript) as opt-in.

In this case, I suggest a separate config setting for the mathjax URL.

In any case, we need a fast decision.

[David Goodger]

I think that the long-term solution is for the user to specify the
MathJax URL, as a config setting.

ISTM that the MathJax code ought to be installed locally on the same
server as the rest of the deployed site files. This should be the
default. Anything else risks (at best) the same thing happening again
in future, or (at worst) cross-site scripting attacks.

David Goodger
http://python.net/~goodger

[Günter Milde]

For security reasons, we don't use a third party public installation as default but warn
if math-output is set to MathJax without specifying a URL.