I can reproduce.
A recently introduced setting allows external scripts to run dynamically without manual configuration.
It’s not available in 3.2.
it’s definitively not a good idea to allow the “/uploads” directory.
However, as a workaround, allowing only the URLs should be okay.
If you go to the component settings:
You can right-click on each link to copy and paste them to the content security policy script-src setting.
I don’t know if there is a better way to handle the CSP issue here from a theme component. 