Logs Showing Wierd Blocked URL’s

I have the weird Google domains showing up on a number of sites too. Not sure what they are, probably a tracking pixel for advertising as they seem to be predominately img-src reports. I see you run Google ads on your site, this might be Google trying to find local ads for non-UK visitors.

I see you’re using CSP version 2, have you tried version 3? I was wondering if it worked for you or if you’re happy with version 2. Main difference is nonces used to approve styles and scripts rather than adding domains individually – that might fix your Google domain issue. It’s tricky to implement as some plugins will not work happily with version 3 and you might need to change some of your code.

It looks like you have an error in your CSP:
The source list for Content Security Policy directive ‘img-src’ contains a source with an invalid path: ‘/api/capture?access_key=8df67e5f400883f215f8e8d7a7588bf4&url=https://goo.gl/dLZtta&viewport=414×736&fullpage=1&delay=3’. The query component, including the ‘?’, will be ignored.

Did the plugin flag this? If not I might need to add it.

It’s weird as we are a UK based charity that geolocates AdWords for UK only, we don’t provide anything abroad. I was thinking analytics but don’t want to approve anything that might not be Ok.

I had only just noticed CSP 3 yesterday when I was looking at this issue, I wanted to take a deeper look before jumping in, i’ll probably enable on a Staging site to check it doesn’t mess anything up.

Thanks for highlighting the error, I was having caching issues and was trying everything to get the damn mobile image to show. Forgot to remove it! The plugin did not flag this and I go in and check the logs and policy weekly.

Thanks for getting back to me, much appreciated.