It is not currently possible to make PD Viewer fully CSP compliant.
We are able to achieve partial CSP compliance through this guide provided by Accusoft https://drive.google.com/file/d/1CUIo8Rhe5G8DgyAdaoBRjOqs6MnKl3Ep/view
This guide provides the steps to allow the script-scr 'self'
policy.
Setting a CSP policy of img-src: 'self'
or font-src: 'self'
will fail. Currently the viewer relies on data URLs for the viewer code, including in viewercontrol.js
There should be a way to modify the viewer samples to make them fully CSP compliant.