When configuring CHILD_SRC Wicket also configures FRAME_SRC (CSPHeaderConfiguration.doAddDirective) however it only does this when FRAME_SRC is not set.
Since unsafeInline() sets CHILD_SRC to 'self', adding other CHILD_SRC directive values will not update the FRAME_SRC value anymore. The CSP settings in the code below causes a Refused to frame 'https://docs.google.com/' because it violates the following Content Security Policy directive: "frame-src 'self'". error.
A workaround is to add FRAME_SRC yourself manually to the code above (.add(CSPDirective.FRAME_SRC, "https://docs.google.com/")) but I would have expected the code to work without adding this.