@ivory I had a lengthy chat with my instance admin as well and we narrowed it down to this:
The src path was misconfigured, so the server tried to use rails as fallback proxy. This explains why the Content-Security-Policy headers from the application were spit out.
No client is to blame here. And I think this is my 3rd message to you with an issue that has nothing to do with Ivory. Apologies.