One of your clients reported a problem where different assets are loaded in every browser. Within the eowp.exe the assets are blocked.
After a bit of research I narrowed down the error to the following procedure:
1. EOWP requests a html-document which contains an Image-tag
2. The server responds with a CSP-Header
Content-Security-Policy: default-src 'self'; img-src 'self' 'strict-dynamic'
3. Loading the image gets blocked
Refused to load the image 'http://localhost:3000/images/example.png' because it violates the following Content Security Policy directive: "img-src 'self' 'strict-dynamic'". 'strict-dynamic' is present, so host-based allowlisting is disabled.
I created a node project which serves a page which exhibits the behavior.
https://github.com/anlud/minimal-csp-errorLet me know if I can be of any assistance