So before opening an issue on Github, I wanted to check here first if I understood correctly and it is indeed a bug and not just a misunderstanding.
The concerning file is lib/defaults.js and the following code lines:
var domain = ' ' + Env.httpUnsafeOrigin;
"connect-src 'self' blob: " + **(/^https:/.test(domain)? 'wss:': domain.replace('http://', 'ws://'))** + ' ' + domain + sandbox + accounts_api,
We check if our domain starts with "https:". This can never be true, because we set the variable to start with a space. So then it tries to replace "http://" with "ws://". If we only allow https, then this can also not happen and it just returns our variable domain which leads to the domain being listed twice in connect-src.
Also even if our ternary was true, we would only append 'wss:', not 'wss://safedomain.com'.