Changelog entry
Security: tightened CSP connect-src to explicit allowlist (Issue #762)
2026-04-02
- Replaced `connect-src 'self' https:` wildcard with an explicit allowlist of required origins (first-party, Google Ads/DoubleClick, Tag Services).
- Added regression tests to prevent reintroduction of the `https:` wildcard scheme.
- Added `docs/security/csp-connect-src-allowlist-20260402.md` documenting ownership and the change process.