Refusing to load script and stylesheets content-security in apache conf

Question

I have the following setup in my apache conf for security:

Header always append X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' gatewayt.moneries.com 'unsafe-eval';"
Header always set Referrer-Policy: strict-origin-when-cross-origin

I have 2 different errors for 2 different applications. I just want to allow moneries and gooleapis to be able to run scripts and style sheets from my apache server.

1.

Refused to load the script 'https://gatewayt.moneris.com/chkt/js/chkt_v1.00.js' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' gatewayt.moneries.com  'unsafe-eval'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Droid+Sans:400,700' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' ottawa.ca 'unsafe-eval'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

<SERVER DOMAIN NAME>/:1 Refused to load the stylesheet 'https://fonts.googleapis.com/css?family=Droid+Sans:400,700' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' ottawa.ca 'unsafe-eval'". Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.