I'm creating a gadget (T223776) that queries an endpoint at tools.wmflabs.org, but this seems to violate the current CSP:
[Report Only] Refused to connect to 'https://tools.wmflabs.org/externalitemsuggester/search?property=P214&value=test' because it violates the following Content Security Policy directive: "default-src 'self' data: blob: upload.wikimedia.org https://commons.wikimedia.org meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org wikimedia.org". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback.
While it's report only, it's a bit worrying. Can *.wmflabs.org be added to the CSP? Looking at T130748, it seems like it was included at some point, but was then removed? I didn't manage to find a discussion about it.
Related issue: T220475