From 90927276039afcb4c19748e16cda24d6497ceb91 Mon Sep 17 00:00:00 2001
From: Luc Vachon <lvachon1@mbta.com>
Date: Thu, 28 May 2026 12:33:28 -0400
Subject: [PATCH] Added domains to our allow-list for various marketing
 tracking pixels.

---
 lib/dotcom_web/plugs/content_security_policy.ex | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/dotcom_web/plugs/content_security_policy.ex b/lib/dotcom_web/plugs/content_security_policy.ex
index e44a46353d..b2b7e3c23f 100644
--- a/lib/dotcom_web/plugs/content_security_policy.ex
+++ b/lib/dotcom_web/plugs/content_security_policy.ex
@@ -12,16 +12,20 @@ defmodule DotcomWeb.Plugs.ContentSecurityPolicy do
         'self'
         #{@tile_server_url}
         *.arcgis.com
+        ad.doubleclick.net
         analytics.google.com
         analytics.tiktok.com
         analytics-ipv6.tiktokw.us
+        bded8a3c6ae-1-1053047382554.us-central1.run.app
         cdn.mbta.com
+        md-eecad2978f7a43f5b7838c919258e6de.ecs.us-east-2.on.aws
         px.ads.linkedin.com
         stats.g.doubleclick.net
         translate.googleapis.com
         translate-pa.googleapis.com
         www.google.com
         www.google-analytics.com
+        www.googleadservices.com
         www.googletagmanager.com
       ],
     default_src: ~w['self'],
@@ -31,6 +35,7 @@ defmodule DotcomWeb.Plugs.ContentSecurityPolicy do
         *.arcgis.com
         *.soundcloud.com
         *.vimeo.com
+        14897135.fls.doubleclick.net
         cdn.knightlab.com
         data.mbta.com
         livestream.com