When including something like http: or https: in the connect-src and img-src directives of the contentsecuritypolicy of webextensions, they are simply ignored.
Other matches like https://*.example.com/ work as expected.
Other matches like https://*.example.com/ work as expected.
This is expected behavior. Safari doesn't allow a full wildcard in the content security policy string.
If this is breaking your extension, could you please file feedback on https://feedbackassistant.apple.com explaining what your extension is trying to do and why you need these full wildcards?
If this is breaking your extension, could you please file feedback on https://feedbackassistant.apple.com explaining what your extension is trying to do and why you need these full wildcards?