lweichselbaum
commented
1 year ago thank you for your PR.
It looks like publish.twitter.com/oembed is not a JSONP endpoint, but instead returns JSON. This is good from a security perspective, but also means that it cannot be used to bypass an allowlist based CSP. For this reason we shouldn't add the publish.twitter.com/oembed endpoint to jsonp.json
Twitter JSONP Endpoint is outdated compared to oEmbed API.
Replace it with https://publish.twitter.com/oembed. Example https://jsfiddle.net/kfv2qr9e/