Why is a domain specified in a CSP default-src being reported as a script-src-elem violation?
I have a Content-Security-Policy-Report-Only: header of:
default-src ‘report-sample’ ‘self’ *.googleapis.com; object-src ‘none’; report-uri https://example.com/csp_logger;
but violations are being reported to my csp_logger endpoint, speci… Continue reading Why is a domain specified in a CSP default-src being reported as a script-src-elem violation?