CSP violation with script-src: 'self'

[Synchro]

Prerequisites

• [x] I verified that this is not a filter issue The problem still occurs when uBO is "disabled" via the big button. I have no filters set.
• [x] This is not a support issue or a question
  • Support issues and questions are handled at /r/uBlockOrigin
• [x] I performed a cursory search of the issue tracker to avoid opening a duplicate issue
  • Your issue may already be reported.
• I tried to reproduce the issue when...
  • [x] uBlock Origin is the only extension
  • [x] uBlock Origin with default lists/settings
  • [x] using a new, unmodified browser profile
• [x] I am running the latest version of uBlock Origin
• [x] I checked the documentation to understand that the issue I report is not a normal behavior

Description

uBO causes a CSP violation on page load when I have a CSP containing script-src: 'self'. The problem still occurs when uBO is the only extension loaded and is "disabled" via the big button. I have no filters set.

This appears to be Safari-specific: I can't reproduce it in Chrome.

A specific URL where the issue occurs

https://www.smartmessages.net/login.php

Steps to Reproduce

1. Open the console, enable stop on all exceptions
2. Visit https://www.smartmessages.net/login.php
3. Observe the uncaught exception with this call stack:

It breaks on line 612 of vapi-client.js:

document.documentElement.removeChild(document.documentElement.appendChild(tmpJS));

It's breaking on my CSP, which contains script-src: 'self'; all my scripts are external, no unsafe-inline or unsafe-eval scripts are allowed.

If I disable uBO altogether, the error does not occur.

Expected behavior:

uBlock avoids tripping this CSP rule.

Actual behavior:

uBlock trips this CSP rule.

Your environment

• uBlock Origin version: 1.16.0
• Browser Name and version: Safari 1.11.1 - this does not occur in Chrome Canary
• Operating System and version: macOS 10.11.6