Looks like we'll have to add https://*.google.* to the CSP. 

The response from ddljson isn't dependent upon the request address, https://www.google.com.sg/async/ddljson still returns data referencing google.com. Probably based on other request headers.

Huh, I thought we could just always serve Doodles from google.com. (Due to some unrelated recent-ish changes, the TLD actually has very little effect on anything.) Before making any changes to the CSP, I'd recommend reaching out to the Doodle folks to figure out if that's not the case anymore.

Does the ddljson API return absolute URLs using country TLDs? If so, I think that'd be a bug in ddljson, since it should just return google.com.
However, maybe it actually returns relative URLs and Chrome resolves them against the ddljson base URL. In that case, the fix might need to be in Chrome.

If you do end up changing the CSP, you probably want to check with Chrome security first.

Yeah, I can't reproduce ddljson returning anything but google.com.

Another possibility is that the doodle somehow appeared expired and it redirected to the appropriate gallery url (https://www.google.TLD/doodles/something?doodle=1234).

Ah, read through some of this domainless stuff and tried various combinations of TLDs and sending '?gl=XX', which eliminated all my ideas. I'll investigate more / talk to the doodle team.

Testing with today's Halloween Doodle:

navigating to 'http://www.google.com/async/ddljson?gl=mx' returns a ddljson with "fullpage_interactive_url":"https://www.google.com.mx/?fpdoodle\u003d1\u0026doodle\u003d73509581\u0026hl\u003des-419".

So, looks like a bug in ddljson returning google.TLD.

Internal bug: b/118703697