The CDN doesn't control the SHA1, your website does.

Some sites host their static HTML on a CDN too. Example: anyone who uses Cloudflare.

If you use proxy server that terminates HTTPS connections you have to trust it. There is nothing you can do.

I was thinking the same thing. For this to work you'd have to not use a CDN to host the static HTML (or maybe a different CDN?) Otherwise, it would be trivial for someone already sophisticated enough to inject a malicious script to also change the hash.

Incidentally, I always wonder about this for non-HTTPS sites that offer binary downloads and crypto hashes to verify the files. How can you be sure someone isn't MitM'ing you?