I originally have this CSP implemented
script-src 'self' 'unsafe-eval' https://allowed-domain1.com https://allowed-domain2.com https://*.allowed-domain3.com 'nonce-***'; report-uri REPORT_URI.com
But it does not allow the domains that are dynamically added by users who add custom widgets. It's not really easy to let the users to whitelist their wanted domains through CSP configuration since each of this domains might include scripts from other domains. And user might not be even aware of them all. Thus, I'm looking for a solution that whitelist dynamically added domains and their child script sources. I expected the strict-dynamic directive resolve this issue for me but it ignores the self and other whitelisted domains which makes CSP ineffective altogether. Am I missing something about how to configure strict-dynamic?
How dynamically added resources can be whitelisted at run-time for CSP?