$wgCSPHeader is currently incompatible with $wgUseFileCache.
Quote $wgCSPHeader:
It is not compatible with $wgUseFileCache
Is this something fixable?
Could the CSP be included in the generated file cache HTML files?
Policy Delivery
CSP can be delivered to the user agent in different techniques.
Content-Security-Policy HTTP response header field. This is the most preferred technique. <meta> HTML element with http-equiv attribute set to Content-Security-Policy. These elements need to be placed as early as possible in the documents.