From reading the CSP Standard specification and examples it seems that it does not support wildcards in the path portion of a given URL. This seems like an oversight, as many CDNs and static file hosting providers share the root domain names between their users and only differentiate access on URL paths rather than the entire domain.
For example, when using S3 or Google Cloud Storage as a CDN, you might want a CSP to allow scripts/assets to be loaded from just your bucket with a wildcard URL like "https://storage.googleapis.com/my-apps-bucket/*" but disallow them for the rest of https://storage.googleapis.com, as it would be rather trivial for a malicious actor to create their own account and serve content from that root domain.
This seems like a pretty common use case, am I misunderstanding the spec? If not, what is the syntax to use wildcard paths, as utilizing a header like Content-Security-Policy: script-src 'self' https://example.com/* does not seem to work.
The "URL matching" part of the spec describes the algorithm in detail. It does support what you're asking for, but you don't use the wildcard character.
The spec discusses the optional "path-part" of the allowed sources, and says if the allowed URL ends in a slash "/", it is a prefix match rather than an exact match.
So, in your example, if you allow
https://storage.googleapis.com/my-apps-bucket/
with a slash but without the asterisk on the end, it will match files below that URL, for example
https://storage.googleapis.com/my-apps-bucket/file1.js