Strange problem, which I probably don't understand well enough to explain...

CSP configured with enforce: true; works well until I pull in a third-party JavaScript that injects an iframe into the page. With the JavaScript in place, the first request after an app restart correctly enforces CSP; all subsequent requests however, return a Content-Security-Policy-Report-Only: header.

I'm struggling to understand how injecting an iframe into the page can be causing secure_headers apparently to ignore my configured enforce: true for the CSP.

Any help greatly appreciated.