Content-Security-Policy: script-src 'self'; object-src 'none'
which TM 5.1.3 sends.
I've looked thru all of the Composer version release notes but cannot see which version upgraded to momentjs 1.7.2 which does not have this problem.
Can someone please tell me which version of composer made the upgrade to momentjs 1.7.2
Composer was updated to use MomentJS 1.7.2 in Composer 4.3 Service Pack 2 due to the issue you mentioned with 1.7.0 not working with CSP. The two easiest solutions are to disable CSP or update your forms to use at least 4.3 SP2. The midway solution is to have two portals and have one with CSP and newer forms and another without CSP for your older forms.
how to update the CSP in TM
Managing Content Security Policy (CSP) Settings
Thanks for the update. For now I've added 'unsafe-eval' to script-src as a workaround.