From T217348#5002107:
The issue we're running into with the current implementation is that the x-content-security-policy header excludes custom schemes for script-src and style-src. Could they be updated to be less restrictive? The [iOS] app works with the app:// scheme URLs added:
...script-src app://meta.wikimedia.org https://meta.wikimedia.org 'unsafe-inline'; style-src app://meta.wikimedia.org https://meta.wikimedia.org app://*.wikipedia.org https://*.wikipedia.org 'self' 'unsafe-inline';...