Content security policy (CSP) reports that seem unrelated to the web app

Content security policy (CSP) reports that seem unrelated to the web app

I've setup Content Security Policy (CSP) on a web app. For the time being it's set to report only so that I can assess it first in production and then turn it on if things get clear. But so far they're not. I'm getting some odd reports of which it's hard for me to even pinpoint the reason or not knowing how to mitigate it.

Some of the weird violation reports I'm getting from other logged in users in production (if I run the app on localhost or if I use the production, I'm not getting any reports on my end):

1. script-src-elem and frame-src violation for the URL https://js.somecdn.com/filename.js

   CSP policy defines (between others) script-src *.somecdn.com and frame-src *.somecdn.com so I don't understand why this report even happens?

2. font-src violation for the URL data

   The app doesn't load any fonts using data: so I don't have a clue where this could be coming from. Could it be some extension?

3. script-src-elem violation for the URL inline and source-file as moz-extension and
   script-src violation for the URL eval or wasm-eval and source-file as chrome-extension

   How does one deal with extensions anyway? Can preventing their execution (would still be getting reports) in any way impact the execution of the web app? I assume not, but may be wrong.

4. connect-src violation for the URL https://data.sub.somedomain.net and
   img-src violation for URL https://data.sub.somedomain.net

   My CSP sets connect-src *.somedomain.net/img-src *.somedomain.net which should cover any subdomain level as per specification. These violations IMO shouldn't happen according to the settings.

I don't think I can repro any of these as all I know is the user agent of each report and no other context of a specific user/browser configuration where these reports originated.

Until I get a clear understanding why I'm getting these, what impact do they have on the web app and the user experience of those users, I can't turn on CSP beyond report-only.

How do you repro or troubleshoot CSP reports in production if you don't have enough context?

---

Sidenote: The app also uses stats services like the Google Tag Manager and MS Clarity, but all those CSP settings are provided according to the documentation. There are no reports when I run production instance which implies that CSP is setup correctly for the services that are running.