Re: [Analytics] Whitelisting the Pageviews API to avoid Content Security Policy warnings

Hello Analytics! Recently, it seems browsers started throwing warnings when attempting to load resources via XHR, unless they are whitelisted with a meta tag (I think is how it works). So for instance, in the JavaScript console, https://tools.wmflabs.org/pageviews now throws the warning: [Report Only] Refused to connect to 'https://wikimedia.org/api/rest_v1/metrics/pageviews/per-article/en.wikipedia/all-access/user/Cat/daily/2018020100/2018022800' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-eval' 'unsafe-inline' blob: data: filesystem: mediastream: *.wikibooks.org *.wikidata.org *.wikimedia.org *.wikinews.org *.wikipedia.org *.wikiquote.org *.wikisource.org *.wikiversity.org *.wikivoyage.org *.wiktionary.org *.wmflabs.org wikimediafoundation.org *.mediawiki.org ". Note that 'connect-src' was not explicitly set, so 'default-src' is used as a fallback. This is not an issue with the Pageviews API, specifically, but it appears many of the tools using it are affected (Treeviews, Wikistats, etc.). So I was hoping you kind folks would know of a solution? I've been trying to go by https://developers.google.com/web/fundamentals/security/csp/ for clues. I think we need something similar to: <meta http-equiv="Content-Security-Policy" content="connect-src 'self' wikimedia.org;"> But this does not do the trick. Any ideas?