Your second variant is correct:
Content-Security-Policy
default-src 'self' *.facebook.com;
script-src 'self' *.facebook.com *.googleapis.com;
When you do specify the script-src directive in the policy, browser do not use any sources from default-src for scripts at all (do not performs fallback to default-src). Only sources from script-src will used.
So if your app loads scripts from 'self' and *.facebook.com, you have to specify these in script-src independently of default-src content.
CLICK HERE to find out more related problems solutions.