I couldn’t find the Content Security Policy (CSP) requirements for YouTube videos posted anywhere so threw together my own after some trial and error.
The below requirements are for the cookieless embed version of YouTube hosted on
www.youtube-nocookie.com. This version can be accessed by choosing the Enable privacy-enhanced mode when viewing the embed menu.
frame-src is used to embed the actual video and the
img-src is used for images that are loaded when the video is paused displaying other recommended videos.