Just a note from some local testing I have been doing with another app and CSP: the reporting endpoint will get some unknown amount of noise due to browser plugins. One that I have seen in my own browser setup is a warning triggered by the uBlock Origin Firefox plugin:
{
"csp-report": {
"blocked-uri": "self",
"document-uri": "http://...",
"line-number": 1,
"original-policy": "script-src 'self'; default-src 'none'; img-src 'self'; media-src 'none'; style-src 'self'; object-src 'none'; connect-src 'self'; font-src 'self'; report-uri http://...",
"referrer": "http://...",
"script-sample": ":root #content > #right > .dose > .doses...",
"source-file": "http://...",
"violated-directive": "style-src 'self'"
}
}
The eventual reporting/analysis tool that is used to decide what needs fixing from the logs will need to be prepared to deal with filtering such noise out.