In mobileapps commit c7e1cf9, an allowed connect-src value of app://*.wikimedia.org was added to the content security policy for mobile-html. However, the updated value is not appearing on recently rendered mobile-html responses:
BAD:
https://en.wikipedia.org/api/rest_v1/page/mobile-html/Edwin_Catmull
https://en.wikipedia.org/api/rest_v1/page/mobile-html/Tokyo
https://en.wikipedia.org/api/rest_v1/page/mobile-html/User_talk:MHolloway_%28WMF%29 (note: the correct value did appear initially for this URL, and then more recently disappeared)
(Aside: Where are the HTTP response headers such as CSP coming from when a response is served from RESTBase storage? Looking at https://github.com/wikimedia/restbase/blob/master/v1/pcs/stored_endpoint.js, it looks like only the response body from mobileapps is stored, not the headers.)