Why would I get a CSP warning where blocked-uri is an empty string?

Question

I've been using CSP on my localhost server, and as well as normal CSP messages, have seen this:

{
  "csp-report": {
    "document-uri": "https://localhost:3000/",
    "referrer": "",
    "violated-directive": "script-src 'self' 'unsafe-eval' cdn.mxpnl.com js.stripe.com platform.twitter.com syndication.twitter.com use.typekit.net",
    "effective-directive": "script-src",
    "original-policy": veryLongPOlicyGoesHere,
    "blocked-uri": "",
    "source-file": "https://platform.twitter.com",
    "line-number": 2,
    "column-number": 28911,
    "status-code": 0
  }
}

Why is blocked-uri" ""? What's causing this CSP warning?

Answer 1

While it may not be easy to parse, you can find information about that type of report in a CSP "fingerprint" project I ran for a while: https://gist.github.com/oreoshake/29edbf9aae8125f05b66

Empty blocked-uris indicate an inline script/style violation, an eval call, or an inline event handler/javascript: href. Your violated-directive allows eval however.

If you can trigger the same error in a Firefox browser, you can inspect the script-sample field. It may contain the content of the inline script or it may mention the event handler triggered or it will include "eval" in the message.

A very large number of unexpected reports in this format come from browser extensions, namely lastpass.