We're moving over to a blacklist approach to solve this issue.
In today's website structure, with resources being hosted on other sites/platforms/CDNs, it just makes sense to do a blacklist approach.
Initial overhead is much larger, having to determine what you need to block to maintain a similar level of security as a whitelist is the big task. Once implemented it's much easier to maintain, you'll just need to play whack-a-mole to block any sites your users shouldn't be getting to that aren't in the blacklist, so setting up some daily reports for bandwidth or application usage is helpful.
It's intrinsically less secure to do blacklist instead of white list, but the a well maintained implementation with appropriate security applications will help eliminate that risk.