If one creates a CSP (Content-Security-Policy) directive for one's http security headers (and one should) it seems one ought refrain from using the asterisk (*) character when allowing hosts, and other than one's own domain, one ought not allow entire domains when drawing resources from outside.
Consider this common style of