The issue lies specifically within the HTML generated by the exportHtml function. This exported HTML contains inline "onclick" events, which are not compliant with Content Security Policy (CSP).