Content Security Policy (CSP) trouble

This app has been progressing well over the time. I have forms that get/update/insert/delete from the database fine; javascript that make the user experience better; translation of languages support and other features are used. In the neon configuration files I have also added some neat features.
A while back, I incorporated CSP to use a nonce for scripts, etc.

Recently I being encountering some issues where some scripts are not functioning. They are no longer being loaded. (browser console: Refused to load …js because it does not appear in the script-src directive of the Content Security Policy.)

I basically understand CSP and know script (and styles, etc.) can be controlled by their settings. However I try to make many additions and changes but the header is basically the same (Content-Security-Policy: script-src ‘nonce-xyz’ ‘strict-dynamic’;). Which is the standard for employing version 3. And I have n:nonce in all my latte script tags.

(My latest neon configuration:)

http:
	csp:
		script-src: [
			nonce                 # for browsers that support CSP2
			self, unsafe-inline   # for browsers that support CSP1
		]
		frame-ancestors: none
		form-action: self
		style-src:
			- self
			- https://cdn.example.com

(prior to these defaults, I tried added other domains, etc).
Instead of including each file I have in BootStrap.php:

$files = glob($appDir . '/config/*.neon', GLOB_NOSORT);
foreach ($files as $file) {
	$configurator->addConfig($file);
}

My changes seem to make no difference. Is there another location of the CSP configuration?
(At one point, last week, the main pages loaded OK with no browser js errors, however sub pages presented CSP errors.)
It seems there's some interference. Please help.