Hi Howard,
If you want to operate a policy like that the easiest way would be to blacklist twitter.com with no subdomain and allow all subdomains (the Twitter website itself is only served from the root domain.) If you need an inclusive domain it’s harder because we have a number of twitter assets spread over different domains.
At the simplest, you’ll need platform.twitter.com, syndication.twitter.com and cdn.syndication.twitter.com for the rendered widgets. You’ll also need *.twimg.com which is where static assets like avatars and photos are served from.
Hope that helps,
Ben
