I think it would be a great thing to add a group of sources like the ones above for Google AdSense, that way the plugin is easier to setup for non-advanced users.
Is that actually enough? Seems like there are always other assets coming from other domains that cause more CSP violations even with the google*.com ones listed. And google is free to change where the ad assets come from at any time. Also it would be surprising if someone installs the plugin and suddenly they have all these permitted resources (adsense, ad manager, amazon, codefund, carbon ads, and anything else included in the plugin) added to their security settings without asking.
Same here. It’s always dangerous (bad practice) to enable restrictive settings by default, especially for upgrades. Took a while a figure out what is broken.
(This also breaks external cookie consent scripts, which are super annoying but kind of a legal requirement)
We’re not going to give Google js the keys to your community by default, and we can’t add a suggested list of sources to add to CSP settings given how the official Google doc doesn’t include all the necessary sources and can change them at any time (and already has?). Having gone through this with a customer last week (adding 19 sources to get it working), enabling CSP while using Google ads is going to be painful and we can’t automate it in the plugin.