`http://*` source covers `https://localhost:80` and `https://localhost:443` with
standard ports only.
But you try to load script `https://localhost:5000/` with :5000 port number.
To fix the issue you have to add `https://localhost:5000` host-source to the
script-src directive. Alternatively you can use syntax 'https://localhost:*' to allow any ports.
Note: `http://*` source covers both `http://*` and `https://*` because CSP3 browsers
do upgrade insecure http: to a secure https:.
Therefore `http://site.com` allows both `http://site.com` and `https://site.com`.