I’ve setup Content Security Policy (CSP) on a web app. For the time being it’s set to report only so that I can assess it first in production and then turn it on if things get clear. But they didn’t. I’m getting some odd reports of which it’s hard for me to even pinpoint the source or not knowing how to approach it.

Some of the weird violation reports I’m getting from other logged in users in production (if I run the app on localhost or if I use the production, I’m not getting any reports on my end):

1. script-src-elem and frame-src violation for the URL https://js.somecdn.com/filename.js

   CSP policy defines (between others) script-src *.somecdn.com and frame-src *.somecdn.com

2. font-src violation for the URL data

   The app doesn’t load any fonts using data: so I don’t have a clue where this could be coming from.

3. script-src-elem violation for the URL inline and source-file as moz-extension and
   script-src violation for the URL eval or wasm-eval and source-file as chrome-extension

   How does one deal with extensions anyway? Can preventing their execution (would still be getting reports) in any way impact the execution of the web app? I assume not, but may be wrong.

4. connect-src violation for the URL https://data.sub.somedomain.net and
   img-src violation for URL https://data.sub.somedomain.net

   My CSP sets connect-src *.somedomain.net/img-src *.somedomain.net which should cover any subdomain level as per specification.

I don’t think I can repro any of these as all I know is the user agent of each report and no other context of a specific user where these reports originate.

Until I get a clear understanding why I’m getting these, what impact do they have on the web app and the user experience of those users I can’t turn on CSP beyond report-only.

How do you deal with CSP reports in production?