Definitely seems to be some kind of issue with CSP (not sure whether that’s an iOS10 bug or not), it looks like people are having success with this CSP though:
<meta http-equiv="Content-Security-Policy" content="default-src gap://ready file://* *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' *”>