CSP discrepancies


I’m getting weird CSP issues in Sentry.

The CSP header of this page:

Is this:

Content-Security-Policy: default-src https: wss:; img-src 'self' https: data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' js.stripe.com www.google-analytics.com widget.intercom.io js.intercomcdn.com; object-src 'none'; font-src 'self' data: js.intercomcdn.com; frame-ancestors 'self'; report-uri https://xxxxxx.ingest.sentry.io/api/xxxxxxxx/security/?sentry_key=xxxxx

However I’m seeing a font being blocked, and the original_policy doesn’t list js.intercomcdn.com as a domain. What’s going on there?

The browser is Mobile Safari 13.1.