Content Security Policy not allowing execution of script even though domain is listed in script-src

I'm attempting to help one of our QA engineers be able to run a script on the console in our dev environment.

The script-src portion of the CSP is as follows:

script-src 'unsafe-inline' 'self' *.fontawesome.com *.cloudflare.com *.unpkg.com;

However, when executing their script, I receive this error:

[Report Only] Refused to load the script 'https://unpkg.com/gremlins.js' because it violates
the following Content Security Policy directive: "script-src 'unsafe-inline' 'self' *.fontawesome.com
*.cloudflare.com *.unpkg.com". Note that 'script-src-elem' was not explicitly set, so 'script-src'
is used as a fallback.

Shouldn't *.unpkg.com in the Content Security Policy cover this scenario? What am I missing here?

Solution

No. *.unpkg.com allows all subdomains of unpkg.com, but not unpkg.com itself. You will need to add unpkg.com to script-src.

What does the CSP nonce implementation look like?
Webpack 4 build bricks CSP with unsafe-eval
content security policy for svg with inline style
Why am I getting this Content Policy error?
Eclipse Scout CSP in Java/Javascript
How to allow all frame ancestors with CSP header?
CSP script-src settings reject inline-scripts in wordpress
Content Security Policy wildcard seems to be ignored
Refused to apply inline style because it violates the following Content Security Policy directive
How to override content security policy while including script in browser JS console?
How to Fix "String as JavaScript" Errors in FLP? (Async Module Loading)
Refused to load the font '<URL>' because it violates the following Content Security Policy directive: "font-src 'none'"
React Helmet: Hash Not Accepted?
Should Content-Security-Policy header be applied to all resources?
Google Chrome Stripping nonce values from script tags
Enforcing a web page to be iframed?
Shall I use the Content-Security-Policy HTTP header for a backend API?
Content Security Policy: allowing all external images?
Firefox Security Error: Content at http://localhost:NNNN/ may not load data from blob:http://localhost:NNNN/... when assigning blob url of MediaSource
Can I use CSP to limit requests to both https: AND 'self'?
content-security-policy meta tag for allowing web socket
SignalR Refused to connect to [url] because it violates the following Content Security Policy directive
What is the meaning of 'self' blob:?
Content Security Policy "data" not working for base64 Images in Chrome 28
dangerouslySetInnerHTML not working with a <script>
CSP style-src: 'unsafe-inline' - is it worth it?
Prevent svelte build from including inline script as it violates CSP
insertBefore and appendChild in font awesome kit (version 5.15.4) causing csp issue only in Firefox Asp.Net Core
Vite + Vue 3 built project Content-Security-Policy Error (CSP) 'script-src "self"' because of new Function constructor in built files
Refused to load the script : Content-Security-Policy