Recently I’ve enabled a Content Security Policy for my web app. Based on my own testing in Safari and Chrome, everything works fine. I’m using report-uri.com to get error reports.
So far, the only reports I received are a number of blocked requests from Chrome browsers to Google Fonts for the Open Sans font. However, we don’t use Google Fonts or Open Sans in this project at all. I’ve searched through the whole source code (including libraries) for related terms, which confirmed that we don’t do anything with Google Fonts or Open Sans.
The reports don’t include useful information to find where the request to Google Fonts was made from, so I don’t know where to look any more. Because the reports only come in at some times during the day, but our app is used by a number of users throughout the whole day, I suspect it’s just one user. Maybe some kind of browser extension is causing this?
Does anyone have an idea how these requests could be caused? I’d like to make sure it’s not something on our end.
It's possible that a poorly made Browser Extension is attempting to load content in an un-kosher way. I haven't experienced it myself but there's at least one article out there on the phenomenon discussing how to avoid it from the perspective of an extension dev. Unfortunately there would be basically no way to be sure without finding the actual user(s) in question and asking them or testing from their machine.
It's also possible that user-side malware taking over the browser could load external elements on your page much like a browser extension; it's rather unlikely they'd bother loading Open Sans and nothing else, though.
As usual be sure to test your site in a variety of configurations and browsers (a favorite of mine is incognito mode in both Chrome and Firefox to ensure my cache/service worker aren't deceiving me). I would say if you don't find anything it's highly likely that it's in fact a user-side issue.