To make things worse I just found out that it seems to load different scripts when using different browsers. The previously stated URLs are valid for Firefox 34.
Chrome 39 seems to also load scripts from the following URLs:
https://www.google.com/js/ https://apis.google.com/_Probably the complete domains have to be whitelisted in order to work in all browsers, but that's a lot of work required for testing :(
(Note that in order to use the paths CSP >= 1.1 is required anyways)