It is not compatible with $wgUseFileCache
Is this something fixable?
Could the CSP be included in the generated file cache HTML files?
CSP can be delivered to the user agent in different techniques.
Content-Security-Policy HTTP response header field. This is the most preferred technique. <meta> HTML element with http-equiv attribute set to Content-Security-Policy. These elements need to be placed as early as possible in the documents.