Content Security Policy and empty blocked-uri
Content Security Policy violation reports are usually very helpful in not only debugging your security policy, but actually for building it from scratch. There's however one case when they can be quite annoying...
Developing a CSP based on violation reports is something that CspBuilder.info does and it does its job quite well: whatever was reported as blocked will be presented to you for approval, and based on that a new policy is developed.
"referrer": "", "original-policy": "base-uri http://webcookies.info; connect-src 'none'; font-src 'none'; form-action 'none'; frame-ancestors 'none'; child-src 'none'; default-src 'none'; frame-src 'none'; img-src 'none'; media-src 'none'; object-src 'none'; script-src 'none'; style-src 'none';", "violated-directive": "script-src 'none'", "blocked-uri": "", "status-code": 200, "document-uri": "http://webcookies.info/"
I have suggested a small improvement on this to the latest CSP 1.1 draft.