Thanks for the reminder that I needed to update the OP. Done. 
We implemented a strict-dynamic CSP a while back and you shouldn’t need to do any further setup.
We’d recommend removing https: or unsafe-inline unless you need them for some specific reason, as they do not provide any protection against XSS vulnerabilities.