Extension:Widgets is incompatible with $wgCSPHeader.
Browser console showing:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
content-security-policy: script-src 'unsafe-eval' blob: 'self' 'nonce-+S3UuO58ZVhPDsPQ9t+i' 'unsafe-inline'; default-src 'self' data: blob:; style-src 'self' data: blob: 'unsafe-inline'; img-src * data: blob:; object-src 'none'; report-uri /w/api.php?action=cspreport&format=json