This sounds like a CSP wildcard mismatch. The pattern https://*.yourdomain does not match deeper subdomains like subdomain.dev.yourdomain — it only matches a single subdomain level (e.g., subdomain.yourdomain). You’d need the CSP on the service side to explicitly include https://*.dev.yourdomain to cover your local dev setup. Also, browsers (especially Chromium-based ones) cache CSP headers aggressively, so even after your domain was re-added, your browser may still be enforcing an old policy. Try an empty cache + hard reload or clear site data. Lastly, if your local HTTPS cert isn't fully trusted, CSP might silently fail or behave inconsistently.