I first noticed this with my own website, but there I was able to temporarily remove the headers. However I've also recently discovered this on Flickr.
Refused to load the script 'https://www.ssa.gov/accessibility/andi/andi.js' because it violates the following Content Security Policy directive: "script-src https://securepubads.g.doubleclick.net https://adservice.google.com https://cdn.ampproject.org https://*.google.com https://*.google-analytics.com https://*.googleadservices.com https://*.doubleclick.com https://*.doubleclick.de https://*.doubleclick.net https://*.googletagservices.com https://*.googleadservices.com https://*.googlesyndication.com https://*.googleapis.com https://www.googletagmanager.com https://*.infolinks.com https://ads.pubmatic.com https://static.criteo.net https://hb.yellowblue.io https://cs.yellowblue.io https://cdn.jsdelivr.net https://shb.richaudience.com https://sync.richaudience.com/ https://prebid.a-mo.net https://ad.360yield.com https://ad.360yield-basic.com https://pbs.360yield.com https://hb.360yield.com https://player.ex.co https://channelexco.com/ https://*.connatix.com https://adserver.adtech.advertising.com 'unsafe-eval' 'unsafe-inline' 'nonce-58906aa79619ca6e43446fd2554ad394' https://flickr.com https://*.flickr.com https://*.staticflickr.com https://js.stripe.com https://boards.greenhouse.io https://*.trustarc.com https://trustarc.mgr.consensu.org https://cdn.siftscience.com https://assets.pinterest.com https://browser.sentry-cdn.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.