Bonjour,

"original-policy": "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; frame-src 'none'; frame-ancestors 'none'; manifest-src 'none'; connect-src 'none'; media-src 'none'; object-src 'none'; worker-src 'none'; report-uri https://www.monsite.com/csp_rapport.php",

J'ai quelques problèmes à interpréter ces alertes.

1)
"violated-directive": "img-src",
"effective-directive": "img-src",
"blocked-uri": "data",
"status-code": 0,
"script-sample": ""

2)
"violated-directive": "script-src"

"violated-directive": "font-src",
"blocked-uri": "https://github.com/google/fonts/blob/master/apache/opensans/OpenSans-Light.ttf?raw=true",

3)
"blocked-uri": "data",
"referrer": "",
"violated-directive": "default-src"

Et le Scan de Mozilla met des croix rouges sur les points suivants :

Blocks execution of inline JavaScript by not allowing 'unsafe-inline' inside script-src
Blocks execution of JavaScript's eval() function by not allowing 'unsafe-eval' inside script-src
Blocks inline styles by not allowing 'unsafe-inline' inside style-src
Clickjacking protection, using frame-ancestors
Deny by default, using default-src 'none'
Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins
Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs

Voyez-vous quelles actions correctives sont demandées ?

Merci d'avance.