fix: resolve CSP violations in _fixCSP method for script injection

- Fix incorrect regex pattern in directive parsing (/s+/  /\s+/)
- Improve CSP directive parsing with robust regex matching
- Add 'unsafe-inline' support for inline script execution
- Add wildcard (*) support for external script domains
- Update fallback CSP directives to include comprehensive permissions

Fixes CSP violations that were blocking:
- Inline scripts (unsafe-inline)
- External scripts from domains like googletagmanager.com
- Script injection functionality in Patchright

The _fixCSP method now properly handles:
- script-src: 'self' 'unsafe-eval' 'unsafe-inline' *
- style-src: with unsafe-inline support
- img-src, font-src: with data: URL support
- connect-src: with WebSocket support
- frame-ancestors: with proper fallbacks

Resolves issues on websites with strict CSP policies like penzu.com