The justified in "justified exceptions" is important. Whenever I review CSP additions I ask the following questions
- do we have a trust relationship with the vendor
- is it strictly required
- what are the alternatives
- blast radius
Adding script-src has a pretty high blast-radius. There is no relationship with an unpaid CDN. Alternatives can be vendoring a static polyfill script, or just fixing a few functions manually, depending on desired level of browser support.
So it would not have passed.
Adding an exception for 3rd-party images would have to clear a much lower bar for example but even there GDPR or information leakage could be a concern.
CSP changes are just a great point to stop and think about how the frontend interacts with the rest of the world.
If you just rubber-stamp everything then of course it wouldn't have any effect.
