Content Security Policy violation reports are usually very helpful in not only debugging your security policy, but actually for building it from scratch. There’s however one case when they can be quite annoying… Developing a CSP based on violation reports is something that CspBuilder.info does and it does its job quite well: whatever was reported as blocked will be presented to you for approval, and based on that a new policy is developed.
"original-policy": "base-uri http://webcookies.info; connect-src 'none'; font-src 'none'; form-action 'none'; frame-ancestors 'none'; child-src 'none'; default-src 'none'; frame-src 'none'; img-src 'none'; media-src 'none'; object-src 'none'; script-src 'none'; style-src 'none';",
"violated-directive": "script-src 'none'",
In CSP 1.0 this ambiguity only applied to script-src, but in CSP 1.1 also styles may need unsafe-eval if dynamic style generation features are used (and this was already observed in Chrome beta).
I have suggested a small improvement on this to the latest CSP 1.1 draft.