Content-Security-Policy. Make it tight.
Google, allow it to reference your images so they show in the search box.
Wildcards. You can specify the left-side (*.domain) but not the right side (domain.*).
OK, lets look up the list of google domains. I’ll let you Bing that. The answer is here.
Huh. That is a lot.
.google.com .google.ad .google.ae .google.com.af .google.com.ag .google.com.ai .google.al .google.am .google.co.ao .google.com.ar ...
Its larger than the probably allowable size of a Content-Security-Policy header. What is one to do? make img-src be *? But then the ad malware wanders in. Pick a few and hope?
Anyone have a suggestion for a best practice?