Ref T4340. See https://discourse.phabricator-community.org/t/core-exception-during-installation/1193/8.
If we return a response very early during setup, we may not be able to read from the environment yet. Just decline to build a "Content-Security-Policy" header in these cases.