Steps to replicate the issue (include links if applicable):
- Paste and run fetch('https://api.github.com/repos/Eejit43/wikipedia-scripts/commits') in your browser console on a WP domain.
What happens?:
The following error message is produced:
Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at https://api.github.com/repos/Eejit43/wikipedia-scripts/commits because it violates the following directive: “default-src 'unsafe-eval' 'unsafe-inline' 'self' data: blob: https://*.wikimedia.org https://*.wikipedia.org https://*.wikinews.org https://*.wiktionary.org https://*.wikibooks.org https://*.wikiversity.org https://*.wikisource.org https://wikisource.org https://*.wikiquote.org https://*.wikidata.org https://*.wikifunctions.org https://*.wikivoyage.org https://*.mediawiki.org https://wikimedia.org https://*.wmflabs.org https://*.wmcloud.org https://*.toolforge.org https://*.jsdelivr.net https://unpkg.com https://cdnjs.cloudflare.com https://raw.githubusercontent.com https://github.com https://code.jquery.com https://cdn.mathjax.org https://use.typekit.net https://fonts.cdnfonts.com https://use.fontawesome.com https://i.ytimg.com https://rsms.me https://doi.org https://localhost:* http://localhost:* https://*.google.com https://*.gstatic.com https://*.googleapis.com https://*.translate.yandex.net https://yastatic.net https://ya.ru https://radically.github.io https://cdn.sammdot.ca https://cdn.fontshare.com https://viaf.org https://publicai-proxy.alaexis.workers.dev https://iiif.archive.org https://api.flickr.com”
What should have happened instead?:
The call should have been allowed, and not blocked by CSP.
Other information (browser name/version, screenshots, etc.):
github.com is already an allowed domain, I see no reason why subdomains shouldn't be allowed as well, at least api.github.com. I use this to fetch commit data and update scripts on-wiki, but I'm sure there are other use cases as well.