The mobileapps service currently provides a set of default CSP headers. Per @GWicke's suggestion these should be removed in favor of central handling via RESTBase.
(If we decide to override the centrally provided CSP headers later, the restrictions should be tighter than they are currently. )
This is a follow-up task from the content service security review (T109023) -- see the discussion there for further background.