If a Wiki Farm offers custom domains to it's users (or possibly in other unexplored situations), they can proxy requests through a server which can change the headers, including the CSP, this could cause undesirable security consequences including allowing users to load malicious content.
This is easily doable via the CloudFlare workers proxy system.
Mediawiki offers a $wgContentSecurityPolicy header but it should be enforced in a way that can't be easily hacked and worked around.
Tagging Security-Team due to a recent security-help@ ticket.
cc @Dsharpe so he can copy his comments here