Content security policy (CSP) reports that seem unrelated to the web app
I've setup Content Security Policy (CSP) on a web app. For the time being it's set to report only so that I can assess it first in production and then turn it on if things get clear. But so far they're not. I'm getting some odd reports of which it's hard for me to even pinpoint the reason or not knowing how to mitigate it.
Some of the weird violation reports I'm getting from other logged in users in production (if I run the app on localhost or if I use the production, I'm not getting any reports on my end):
script-src-elem
andframe-src
violation for the URLhttps://js.somecdn.com/filename.js
CSP policy defines (between others)
script-src *.somecdn.com
andframe-src *.somecdn.com
so I don't understand why this report even happens?font-src
violation for the URLdata
The app doesn't load any fonts using
data:
so I don't have a clue where this could be coming from. Could it be some extension?script-src-elem
violation for the URLinline
andsource-file
asmoz-extension
and
script-src
violation for the URLeval
orwasm-eval
andsource-file
aschrome-extension
How does one deal with extensions anyway? Can preventing their execution (would still be getting reports) in any way impact the execution of the web app? I assume not, but may be wrong.
connect-src
violation for the URLhttps://data.sub.somedomain.net
and
img-src
violation for URLhttps://data.sub.somedomain.net
My CSP sets
connect-src *.somedomain.net
/img-src *.somedomain.net
which should cover any subdomain level as per specification. These violations IMO shouldn't happen according to the settings.
I don't think I can repro any of these as all I know is the user agent of each report and no other context of a specific user/browser configuration where these reports originated.
Until I get a clear understanding why I'm getting these, what impact do they have on the web app and the user experience of those users, I can't turn on CSP beyond report-only.
How do you repro or troubleshoot CSP reports in production if you don't have enough context?
Sidenote: The app also uses stats services like the Google Tag Manager and MS Clarity, but all those CSP settings are provided according to the documentation. There are no reports when I run production instance which implies that CSP is setup correctly for the services that are running.