script-src origin
The third-party script's origin (https://cdnjs.cloudflare.com) is not listed in script-src. A plain <script src="..."> tag has no nonce or hash, so the origin must be explicitly trusted — the browser blocks the load.
Response header
Content-Security-Policy: script-src 'self'Script tag in page source
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script>
Result
( ._.)
Check the browser console to see the CSP violation error.