Let the user maintain a list of trusted hosts or resources.

[jukzi]

Instead of only globally enable/disable download of external resources it would be more secure to allow only some resources to be automatically downloaded.
i.e. provide multiple quickfixes like
a) "Download all resources from http://springframework.com/**"
b) "Download resource from http://springframework.com/dtd/spring-beans-1.0.dtd"
c) "Enable download resources from all hosts (NOT RECOMMENDED)"

forked from:
eclipse-wildwebdeveloper/wildwebdeveloper#1289 (comment)

Also it may be a good idea to - by default - use https instead of http when possible even if the link specifies "http".

[angelozerr]

Instead of only globally enable/disable download of external resources

I think we should keep it.

To manage allowed url, I think we should have:

• a new settings where you can declare a list of allowed url
• those allowed url could use pattern (ex : http://**/foo)

So those settings could be updated at hand by the user.

For quickfix,

• the a) is a very good idea and should update the new settings
• the b) already exists but it should update this new settings to allow the download when lemminx cache is evicted
• the c) as you said it is not recommended