20Eyl
CSP Violation repot has a [blockedURL] that is in the [originalPolicy]
I keep getting Content Security Policy reports saying that https://googleads.g.doubleclick.net:443/pagead/viewthroughconversion/[redacted]/?random=...
has been blocked by the img-src
[effectiveDirective], even though in the same report it confirms I have https://*.g.doubleclick.net
in the img-src
policy.
Array
(
[type] => csp-violation
[url] => https://[redacted].co.uk/contact/
[body] => Array
(
[documentURL] => https://[redacted].co.uk/contact/
[disposition] => report
[referrer] => https://[redacted].co.uk/services/
[effectiveDirective] => img-src
[blockedURL] => https://googleads.g.doubleclick.net:443/pagead/viewthroughconversion/[redacted]/?random=[a very long string]
[originalPolicy] => default-src 'self'; script-src 'self' data: 'unsafe-inline' https://bat.bing.com https://www.googletagmanager.com https://www.googleadservices.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://bat.bing.com https://lh3.googleusercontent.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com; font-src 'self'; connect-src 'self' https://bat.bing.com https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com https://*.g.doubleclick.net https://*.google.com; frame-src 'self' https://sketchfab.com; worker-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; report-uri https://[redacted].co.uk/security-reports/report; report-to default;
[statusCode] => 200
[sample] =>
[sourceFile] => https://[redacted].co.uk/contact/
[lineNumber] => 0
[columnNumber] => 1
)
)
I've tried adding https://googleads.g.doubleclick.net
and https://*.doubleclick.net
to the policy to no avail.