Update Content Security Policy for GA4 (#5953)

support-frontend/conf/CODE.public.conf

@@ -31,7 +31,7 @@ metric.url="https://metric-push-api-code.support.guardianapis.com/metric-push-ap
 
 play.filters.csp.directives {
   # both https://www.theguardian.com/ https://theguardian.com/ needed for the gu.com/font-loader endpoint to work
-  default-src="'self' https://td.doubleclick.net https://pagead2.googlesyndication.com https://ccpa-pm.sp-prod.net https://cdn.privacy-mgmt.com https://gdpr-tcfv2.sp-prod.net https://ccpa-service.sp-prod.net https://ccpa-notice.sp-prod.net https://sourcepoint.theguardian.com https://ccpa.sp-prod.net https://services.postcodeanywhere.co.uk https://stripe-intent-code.support.guardianapis.com www.paypalobjects.com t.paypal.com/ members-data-api.code.dev-theguardian.com metric-push-api-code.support.guardianapis.com www.paypal.com www.sandbox.paypal.com js.stripe.com https://payments-sandbox.amazon.com https://api-cdn.amazon.com static-na.payments-amazon.com ophan.theguardian.com j.ophan.co.uk media.guim.co.uk i.guim.co.uk uploads.guim.co.uk www.google-analytics.com www.googletagmanager.com tagmanager.google.com assets.guim.co.uk www.googleadservices.com googleads.g.doubleclick.net www.google.com www.google.co.uk static.ads-twitter.com bat.bing.com bid.g.doubleclick.net t.co analytics.twitter.com stats.g.doubleclick.net www.youtube-nocookie.com connect.facebook.net www.facebook.com checkout.stripe.com fonts.googleapis.com ssl.gstatic.com www.gstatic.com fonts.gstatic.com sentry.io *.quantummetric.com blob: data: wss: 'unsafe-inline' q.stripe.com payment.code.dev-guardianapis.com https://interactive.guim.co.uk/ https://www.theguardian.com/ https://theguardian.com/"
+  default-src="'self' https://region1.analytics.google.com https://td.doubleclick.net https://pagead2.googlesyndication.com https://ccpa-pm.sp-prod.net https://cdn.privacy-mgmt.com https://gdpr-tcfv2.sp-prod.net https://ccpa-service.sp-prod.net https://ccpa-notice.sp-prod.net https://sourcepoint.theguardian.com https://ccpa.sp-prod.net https://services.postcodeanywhere.co.uk https://stripe-intent-code.support.guardianapis.com www.paypalobjects.com t.paypal.com/ members-data-api.code.dev-theguardian.com metric-push-api-code.support.guardianapis.com www.paypal.com www.sandbox.paypal.com js.stripe.com https://payments-sandbox.amazon.com https://api-cdn.amazon.com static-na.payments-amazon.com ophan.theguardian.com j.ophan.co.uk media.guim.co.uk i.guim.co.uk uploads.guim.co.uk www.google-analytics.com www.googletagmanager.com tagmanager.google.com assets.guim.co.uk www.googleadservices.com googleads.g.doubleclick.net www.google.com www.google.co.uk static.ads-twitter.com bat.bing.com bid.g.doubleclick.net t.co analytics.twitter.com stats.g.doubleclick.net www.youtube-nocookie.com connect.facebook.net www.facebook.com checkout.stripe.com fonts.googleapis.com ssl.gstatic.com www.gstatic.com fonts.gstatic.com sentry.io *.quantummetric.com blob: data: wss: 'unsafe-inline' q.stripe.com payment.code.dev-guardianapis.com https://interactive.guim.co.uk/ https://www.theguardian.com/ https://theguardian.com/"
   frame-ancestors="https://gnmtouchpoint--dev1--c.cs88.visual.force.com https://gnmtouchpoint--dev1.lightning.force.com https://m.code.dev-theguardian.com https://gnmtouchpoint--dev1--c.sandbox.vf.force.com https://gnmtouchpoint--dev1.sandbox.lightning.force.com"
   script-src=null
 }

support-frontend/conf/DEV.public.conf

@@ -33,7 +33,7 @@ metric.url="https://metric-push-api-code.support.guardianapis.com/metric-push-ap
 
 play.filters.csp.directives {
   # both https://www.theguardian.com/ https://theguardian.com/ needed for the gu.com/font-loader endpoint to work
-  default-src="'self' https://td.doubleclick.net https://pagead2.googlesyndication.com https://ccpa-pm.sp-prod.net https://cdn.privacy-mgmt.com https://gdpr-tcfv2.sp-prod.net https://ccpa-service.sp-prod.net https://ccpa-notice.sp-prod.net https://sourcepoint.theguardian.com https://ccpa.sp-prod.net https://services.postcodeanywhere.co.uk https://support.code.dev-theguardian.com/ https://stripe-intent-code.support.guardianapis.com http://localhost:9000 members-data-api.thegulocal.com metric-push-api-code.support.guardianapis.com www.paypalobjects.com www.paypal.com t.paypal.com www.sandbox.paypal.com js.stripe.com https://payments-sandbox.amazon.com https://api-cdn.amazon.com static-na.payments-amazon.com ophan.theguardian.com j.ophan.co.uk media.guim.co.uk i.guim.co.uk uploads.guim.co.uk www.google-analytics.com www.googletagmanager.com tagmanager.google.com assets.guim.co.uk www.googleadservices.com googleads.g.doubleclick.net www.google.com www.google.co.uk static.ads-twitter.com bat.bing.com bid.g.doubleclick.net t.co analytics.twitter.com stats.g.doubleclick.net www.youtube-nocookie.com connect.facebook.net www.facebook.com checkout.stripe.com fonts.googleapis.com ssl.gstatic.com www.gstatic.com fonts.gstatic.com sentry.io *.quantummetric.com blob: data: wss: 'unsafe-inline' 'unsafe-eval'  q.stripe.com payment.code.dev-guardianapis.com https://interactive.guim.co.uk/ https://www.theguardian.com/ https://theguardian.com/"
+  default-src="'self' https://region1.analytics.google.com https://td.doubleclick.net https://pagead2.googlesyndication.com https://ccpa-pm.sp-prod.net https://cdn.privacy-mgmt.com https://gdpr-tcfv2.sp-prod.net https://ccpa-service.sp-prod.net https://ccpa-notice.sp-prod.net https://sourcepoint.theguardian.com https://ccpa.sp-prod.net https://services.postcodeanywhere.co.uk https://support.code.dev-theguardian.com/ https://stripe-intent-code.support.guardianapis.com http://localhost:9000 members-data-api.thegulocal.com metric-push-api-code.support.guardianapis.com www.paypalobjects.com www.paypal.com t.paypal.com www.sandbox.paypal.com js.stripe.com https://payments-sandbox.amazon.com https://api-cdn.amazon.com static-na.payments-amazon.com ophan.theguardian.com j.ophan.co.uk media.guim.co.uk i.guim.co.uk uploads.guim.co.uk www.google-analytics.com www.googletagmanager.com tagmanager.google.com assets.guim.co.uk www.googleadservices.com googleads.g.doubleclick.net www.google.com www.google.co.uk static.ads-twitter.com bat.bing.com bid.g.doubleclick.net t.co analytics.twitter.com stats.g.doubleclick.net www.youtube-nocookie.com connect.facebook.net www.facebook.com checkout.stripe.com fonts.googleapis.com ssl.gstatic.com www.gstatic.com fonts.gstatic.com sentry.io *.quantummetric.com blob: data: wss: 'unsafe-inline' 'unsafe-eval'  q.stripe.com payment.code.dev-guardianapis.com https://interactive.guim.co.uk/ https://www.theguardian.com/ https://theguardian.com/"
   frame-ancestors="https://gnmtouchpoint--dev1--c.cs88.visual.force.com https://gnmtouchpoint--dev1.lightning.force.com http://localhost:6006 http://localhost:3030 https://gnmtouchpoint--dev1--c.sandbox.vf.force.com https://gnmtouchpoint--dev1.sandbox.lightning.force.com"
   script-src=null
 }

support-frontend/conf/PROD.public.conf

@@ -30,7 +30,7 @@ metric.url="https://metric-push-api-prod.support.guardianapis.com/metric-push-ap
 
 play.filters.csp.directives {
   # both https://www.theguardian.com/ https://theguardian.com/ needed for the gu.com/font-loader endpoint to work
-  default-src="'self' https://td.doubleclick.net https://pagead2.googlesyndication.com https://ccpa-pm.sp-prod.net https://cdn.privacy-mgmt.com https://gdpr-tcfv2.sp-prod.net https://ccpa-service.sp-prod.net https://ccpa-notice.sp-prod.net https://sourcepoint.theguardian.com https://ccpa.sp-prod.net https://services.postcodeanywhere.co.uk https://stripe-intent.support.guardianapis.com members-data-api.theguardian.com metric-push-api-prod.support.guardianapis.com www.paypalobjects.com www.paypal.com t.paypal.com www.sandbox.paypal.com js.stripe.com https://payments.amazon.com https://payments-sandbox.amazon.com https://coin.amazonpay.com https://api-cdn.amazon.com static-na.payments-amazon.com ophan.theguardian.com j.ophan.co.uk media.guim.co.uk i.guim.co.uk uploads.guim.co.uk www.google-analytics.com www.googletagmanager.com tagmanager.google.com assets.guim.co.uk www.googleadservices.com googleads.g.doubleclick.net www.google.com www.google.co.uk static.ads-twitter.com bat.bing.com bid.g.doubleclick.net t.co analytics.twitter.com stats.g.doubleclick.net www.youtube-nocookie.com connect.facebook.net www.facebook.com checkout.stripe.com fonts.googleapis.com ssl.gstatic.com www.gstatic.com fonts.gstatic.com sentry.io *.quantummetric.com blob: data: wss: 'unsafe-inline' q.stripe.com payment.guardianapis.com https://interactive.guim.co.uk/ https://www.theguardian.com/ https://theguardian.com/"
+  default-src="'self' https://region1.analytics.google.com https://td.doubleclick.net https://pagead2.googlesyndication.com https://ccpa-pm.sp-prod.net https://cdn.privacy-mgmt.com https://gdpr-tcfv2.sp-prod.net https://ccpa-service.sp-prod.net https://ccpa-notice.sp-prod.net https://sourcepoint.theguardian.com https://ccpa.sp-prod.net https://services.postcodeanywhere.co.uk https://stripe-intent.support.guardianapis.com members-data-api.theguardian.com metric-push-api-prod.support.guardianapis.com www.paypalobjects.com www.paypal.com t.paypal.com www.sandbox.paypal.com js.stripe.com https://payments.amazon.com https://payments-sandbox.amazon.com https://coin.amazonpay.com https://api-cdn.amazon.com static-na.payments-amazon.com ophan.theguardian.com j.ophan.co.uk media.guim.co.uk i.guim.co.uk uploads.guim.co.uk www.google-analytics.com www.googletagmanager.com tagmanager.google.com assets.guim.co.uk www.googleadservices.com googleads.g.doubleclick.net www.google.com www.google.co.uk static.ads-twitter.com bat.bing.com bid.g.doubleclick.net t.co analytics.twitter.com stats.g.doubleclick.net www.youtube-nocookie.com connect.facebook.net www.facebook.com checkout.stripe.com fonts.googleapis.com ssl.gstatic.com www.gstatic.com fonts.gstatic.com sentry.io *.quantummetric.com blob: data: wss: 'unsafe-inline' q.stripe.com payment.guardianapis.com https://interactive.guim.co.uk/ https://www.theguardian.com/ https://theguardian.com/"
   frame-ancestors="https://gnmtouchpoint--c.eu31.visual.force.com https://gnmtouchpoint.lightning.force.com https://www.theguardian.com https://gnmtouchpoint--c.vf.force.com"
   script-src=null
 }