In D20100, I changed this page from returning a newPage() with a dialog as its content to returning a more modern newDialog().
However, the magic to add stuff to the CSP header is actually only on the newPage() pathway today, so this accidentally dropped the extra "Content-Security-Policy" rule for Google.
Lift the magic up one level so both Dialog and Page responses hit it.