Solution 1 :

I had the same problem but was able to resolve it by using a hash with https://* whitelisted.

The script-src directive lets developers whitelist a particular inline
script by specifying its hash as an allowed source of script.

Usage is straightforward. The server computes the hash of a particular
script block’s contents, and includes the base64 encoding of that
value in the Content-Security-Policy header.

For example:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-...4aQo=' https://*">

Note that for dynamic applications it’s better to use a nonce.

Hope this helps!

Problem :

This is my current script-src content security policy for my app:

script-src 'self' 'unsafe-inline';

trying to load the following external js code:${GOOGLE_API_KEY}&libraries=places&language=he

using unsafe-inline it works, but probably unsafe, so I want to remove it in my code, but then it doesn’t allow the script to run.
tried to add to script-src a value such as* but it still didn’t work.
how would one allow scripts from a specific domain?