MetaMask Browser (on Android) does not enforce Content-Security-Policy header