Customer policy adopted injection via reverse proxy of the Content Security Policy header for security reason .
The policy adopted is basic : "default-src 'self'"
With the policy when you try to open QlikView Access Point page is partially rendered and logon is not working depending on browser used.
The Header Content Security Option contains a string of rules that informs the browser which resource/code is trusted to be loaded, executed rendered.
More details on the argument could be found here: https://www.w3.org/TR/CSP3/
For QlikView Accesspoint a first example is to use Content-Security-Policy: "default-src 'self' 'unsafe-inline' data: ;" ; (note that using 'unsafe-inline' option could be unsafe in a the proxy injection scenario when the client will brose a different site , you could/evaluate to use instead the sha256-hashcode version )
Further option could be necessary if for example you have QlikView Extension Object ( Server and Document Extensions) that are using external resources downloaded from CDN locations;
In this case the troubleshoot is the same use F12/Development Tools to check the resource that violates the policy and ad an exclusion.
Other articles you could find of interest are : QlikView Access Point Shows "Loading Content" Indefinitely
,What is CSP (Content-Security-Policy) and How does it Relate to Qlik?