The non-hotspot way is not as tight, because it can only block / allow certain IP addresses....
So if a permitted IP address hosts a site you want as well as a site you do not want, then there's no way (using this method alone) to block the other site(s) also being hosted on the same server.
Anyway, to do this, make an IP address list in the firewall settings - call it allowedhosts (or whatever makes sense)
When adding entries to the list, don't use IP addresses but hostnames:
i.e.
/ip firewall address-list
add list=allowedhosts address=
www.goodsite.example.com
add list=allowedhosts address=
www.okaysite.example.org
etc...
The list will automatically do the DNS lookups and add all discovered IP addresses to the "allowedhosts" list as dynamic entries. These will be regularly updated with the same interval as the DNS entries' TTL values.
So then you have a filter rule set which includes something to the effect of
chain=forward , out-interface=wan , src-address=x.x.x.x/x , protocol=tcp , dst-port=80,443 , dst-address-list=allowedhosts action=accept
chain=forward , out-interface=wan , src-address=x.x.x.x/x , action=drop
The src-address=x.x.x.x/x would be some network range that matches your restricted hosts.
If all restricted hosts have IP addresses 192.168.10.64-127, then src-address=192.168.10.64/26
Another option would be to make another IP address list called "restrictedhosts" and add the individual IP addresses of your restricted hosts into this list, and simply use src-address-list=restrictedhosts instead of the src-address=x.x.x.x/x