Looks like you have 2 Content-Security-Policy issued. If multiple CSPs the strictest rules from both will apply (all sources/tokens should pass via both CSPs unscratched).
Content Security Policy could be delivered 2 ways:
- via HTTP header
Content-Security-Policy:
(prefereed) - via meta-tag (restricted possibilities)
So you need to check for double <meta http-equiv="Content-Security-Policy"
in the HTML code.
And check the HTTP response headers(because CMS could publush CSP by default) in the browser developers tool (Crtl+Shift+i in Chrome and Crtl+Shift+k in Fifrefox -> Network tab -> select main page at the left window and look Response headers):