Having not had much feedback on my last CSP questions, here's a more directed question:
Why, when $CSPEnabled is TRUE, would a page refresh/new page load not have the CSP header/s injected into the HTML (vs subsequent Ajax interactions having them inserted into every transaction)?