CSP is always a grind. Helmet is a good package. I’ve added CSP to a number of websites, but I’m not an expert. I think you either need to add a nonce (hash) to your scripts or “white-list” the sources (works, but not considered a best practice currently).
I have a few suggestions:
- Create an account on Stack Overflow and as your question there. I’ve never waited more than 24 hours for a response on questions I’ve posted there.
- Check out this tutorial. Even though it is for sites on AWS S3, scroll down to the overview – it is good. https://www.savjee.be/2018/05/Content-security-policy-and-aws-s3-cloudfront/
- The example from Google is helpful: https://csp.withgoogle.com/docs/strict-csp.html#example
One other thing. You can use Mozilla Observatory to test your CSP. It is a very helpful tool.