Safari blocks the tencent captcha JS resource not in CSP list itself but requested by JS in CSP list

Problem to solve

The https://*.qq.com/ is already on the CSP list, the https://ssl.captcha.qq.com/TCaptcha.js can be successfully loaded in all browsers, this resource will send a new request for https://captcha.gtimg.com/1/tcaptcha-frame.[hash].js, due to the Safari category any resource will be blocked if its origin is not on the CSP list, even if the requesting source is already on the CSP list.

Fortunately, the https://ssl.captcha.qq.com/TCaptcha.js will fallback to request https://t.captcha.qq.com/tcaptcha-frame.[hash].js which hits https://*.qq.com/, so the captcha feature can still work.

For the robustness of this feature, we should add https://captcha.gtimg.com/ to CSP list, not relying on the fallback request of the tencent captcha javascript.

Proposal

Add https://captcha.gtimg.com/ to CSP list