Content Security Policy (CSP) blocks external javascript without having configured it

Question

I\'m building a web app with react and webpack. The app uses the spotify sdk which is loaded via a script tag from spotify. Running the app in development mode works fine bu