Some requests (in particular the frontend) are static assets going straight from Nginx disk back to the client. E.g. / serves the /index.html file. That means we never go into Django where django_csp sets CSP headers. Let's move all CSP setting to Nginx.
I'll make a PR on https://github.com/mozilla-services/cloudops-deployment/blob/symbols/projects/symbols/puppet/modules/symbols/templates/http_symbols.conf.erb and I'll remove django_csp and its settings.