CSP issues #12
Description
Hi,
I'm working on adding telegram auth to discourse and am running into this issue when I plug in omniauth-telegram into the existing framework:
Content Security Policy: The page’s settings blocked the loading of a resource at https://telegram.org/js/telegram-widget.js?4 (“script-src”).
This is a CSRF issue, and I'm not sure if omniauth can either flag telegram.org as a site that can be loaded or if you can mark /auth/telegram as less protected.