I’ve only ever done this with a paid license, so I might be wrong. But you can add your content-security-policy to your index.html (which you can find in your theme folder) in the header. Like so:
<head> <meta http-equiv=“Content-Security-Policy” content=”default-src ‘self’; img-src *”> </head>
in the content you can change the CSP to your wishes.
I also found some documentation how to do this in a PWA app, which might help you get in the right direction. https://docs.mendix.com/refguide/progressive-web-app/csp/