Added more stuff as my brain started to kick in. I have a mug of tea somewhere brewing. SHIT MY TEA brbs Ok I’m back with the tea.
You just need to know which extension it is and it’s in the headers when the HTML is loaded. 
(Under the content-security-policy header). My public stuff isn’t that hard to find!
The Live CSP (pulled from the TwitchPage of, and with the rules for FlightSimTrack added) currently stands at:
content-security-policy: default-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv; block-all-mixed-content; img-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv https://static-cdn.jtvnw.net https://*.tile.openstreetmap.org/ https://ows.mundialis.de/ https://*.tile.maps.openaip.net/ https://*.tiles.openrailwaymap.org/ https://basemap.nationalmap.gov/ https://www.google-analytics.com data: blob:; media-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv data: blob:; frame-ancestors https://supervisor.ext-twitch.tv https://extension-files.twitch.tv https://*.twitch.tv https://*.twitch.tech https://localhost.twitch.tv:* https://localhost.twitch.tech:* http://localhost.rig.twitch.tv:*; font-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' 'unsafe-inline' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv https://fonts.googleapis.com; connect-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv https://api.twitch.tv wss://pubsub-edge.twitch.tv https://twitch.extensions.barrycarlyon.co.uk https://www.google-analytics.com https://stats.g.doubleclick.net; script-src 'self' https://q6gmlap07mpxekhpspevz2sq5xjth7.ext-twitch.tv https://extension-files.twitch.tv https://www.google-analytics.com;
(YAY FORUM FORMATTING)
And thats what I used to build out my test system (see end of post for the NPM Module, which could be adapted to other test server scenarios (IE Not hosted test))
For the record my Allowlist for Image Domains for the Extension FlightSimTrack is:
https://*.tile.openstreetmap.org/, https://ows.mundialis.de/, https://*.tile.maps.openaip.net/, https://*.tiles.openrailwaymap.org/, https://basemap.nationalmap.gov/
Which sits after the TwitchCDN and before GoogleAnalytics in the list above.
Not sure what would work best for google since I don’t use Google Maps (licensing/cost issue)
And I explicitly explained in my Release notes why I have wildcards in there and the purpose of those domains. (I’d have to dig if I kept those notes about but the key part was explaining my choices)
So this should be a valid CSP Rule: if you wanted to narrow it down to the z/x/y folder of the domain.
Resource: https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
ValidCSP: https://*.tile.openstreetmap.org/*/*/*.png
I’d probably omit .png off the end in case they surprise switched to .webp or something, but then you’d have to update leaflet’s configuration (yay release cycle) or have a way to dynamically update what you are feeding to leaflets configuration.
(Yes the dev console says “base URLs” but any valid CSP rule should be valid here)
CSP rules can be specifiic down to the resource. see under Hosts Values - Content-Security-Policy - HTTP | MDN
And for full schbang on the brain dump of CSP heres the !csp command from the TwitchDev Discord
I expect the issue here is really google’s domain if it’s just *.google.com it’s far too open also depends on what data layers (if any) you are using.
Hope this helps it got long winded and rambly