Modifying default-src in Content-Security-Policy

Hi,

I have a Custom UI component that uses a third-party script to render mathematical formulas. This script needs to download (many) fonts from the domain that the script itself is also coming from. However, the requests to this domain are getting blocked due to the CSP ‘default-src’. The ‘default-src’ value my browser gets from Atlassian is ‘self’.

I have checked the following pages, but couldn’t see any field that controls ‘default-src’. Is there any way to modify this CSP directive?

https://developer.atlassian.com/platform/forge/manifest-reference/permissions/
https://developer.atlassian.com/platform/forge/add-content-security-and-egress-controls