The current explanation for why *.googleapis.com is dangerous is the following:
ajax.googleapis.com is known to host JSONP endpoints and Angular libraries which allow to bypass this CSP.
I find this weirdly specific, since this rule allows a much broader point of entry than ajax.googleapis.com: storage.googleapis.com allows anyone to upload and serve any file, without any checks or restrictions, for example: https://storage.googleapis.com/bg-common/samples/evil.js
I believe the warning would be better worded like this
storage.googleapis.com allows anyone to upload and serve any file, without any checks or restrictions.
This makes it more universal as it's not related to either angular or JSONP, which seem more niche and not necessarily relevant to the person reading
The current explanation for why
*.googleapis.comis dangerous is the following:I find this weirdly specific, since this rule allows a much broader point of entry than
ajax.googleapis.com:storage.googleapis.comallows anyone to upload and serve any file, without any checks or restrictions, for example: https://storage.googleapis.com/bg-common/samples/evil.jsI believe the warning would be better worded like this
This makes it more universal as it's not related to either angular or JSONP, which seem more niche and not necessarily relevant to the person reading