I’ve setup Content Security Policy (CSP) on a web app. For the time being it’s set to report only so that I can assess it first in production and then turn it on if things get clear. But they didn’t. I’m getting some odd reports of which it’s hard for me to even pinpoint the source or not knowing how to approach it.