CSP rule not working, what can i do?

Hey guys, I’m having an issue about CSP rules on my netlify app.

I’m trying to use the CDN from tailwind on my website, and on development it works fine, but when I deploy to netlify, it says the cdn has been blocked by CSP policy.

I already have the CDN URL on the _headers file, but it didin’t make any difference at all.

this is how i did the setup my _headers file:

/*
   Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
   Content-Security-Policy: default-src https: 'self' *.netlify.app; connect-src 'self' 'unsafe-inline' https://accounts.google.com/gsi/* https://google.com/pagead/* https://google.com/ccm/* https:// bat.bing.com/* https://google.com/* https://app-cdn.clickup.com/* https://forms.clickup.com/* *.clarity.ms *.googleadservices.com *.bing.com connect.facebook.net *.facebook.net snap.licdn.com *.ads.linkedin.com *.adsymptotic.com https://cdn.tailwindcss.com/cdn.linkedin.oribi.io * .facebook.com analytics.google.com *.google-analytics.com *.analytics.google.com *.googletagmanager.com *.g.doubleclick.net *.google.com *.google.com.br gap: ws :* *.fontawesome.com *.seguroviagem.srv.br *.w3.org cdnjs.cloudflare.com *.cloudfront.net *.amazonaws.com *.ampproject.org bat.bing.com; font-src 'self' a1.seguroviagem.srv.br *.seguroviagem.srv.br fonts.gstatic.com cdnjs.cloudflare.com *.cloudflare.com; frame-src https://accounts.google.com/gsi/ *.google.com *.facebook.com *.bing.com *.youtube.com *.instagram.com; img-src 'self' data: blob: realcms2021.s3.sa-east-1.amazonaws.com *.facebook.com *.clarity.ms *.linkedin.com *.bing.com snap.licdn.com *. ads.linkedin.com *.adsymptotic.com *.seguroviagem.srv.br *.amazonaws.com *.w3.org *.cloudfront.net i.ytimg.com *.google-analytics.com *.analytics.google. with *.googletagmanager.com *.g.doubleclick.net *.google.com *.google.com.br; script-src https://accounts.google.com/gsi/client https://bat.bing.com/ https://google.com/pagead https://google.com/ccm https: 'self' ' unsafe-inline' 'unsafe-eval' blob: *.seguroviagem.srv.br *.google.com google.com *.cloudfront.net snap.licdn.com analytics.google.com *.bing.com 'unsafe-inline ' https://www.googletagmanager.com; style-src https://accounts.google.com/gsi/style https://cdn.tailwindcss.com/ https: 'self' 'unsafe-inline' blob: *.seguroviagem.srv.br; frame-ancestors 'self';
   Permissions-Policy: accelerometer=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(self), geolocation=*, gyroscope=(), magnetometer=(), microphone=() , midi=(), payment=(), picture-in-picture=(), sync-xhr=(), usb=()
   X-Content-Type-Options: nosniff
   X-XSS-Protection: 1; mode=block
   Set-Cookie: HttpOnly; Secure; SameSite=Strict;

/affiliates/iframe/*
   Content-Security-Policy: frame-ancestors https://*/;

if someone can help me with that, i appreciate it a lot

We need to see the site to comment.