Thanks for reaching out about this issue @john.innocaption. I’ll make sure we send this to the team for further reviews. 

Hello @john.innocaption hope you are doing well!

I checked with our engineering team regarding this issue and they advised if you could trying the following:

connect-src ‘report-sample’ ‘self’ https://api2.amplitude.com * 

Is this something that you can try on your end, please?

Sure we can try that.

We are still seeing it:

{
   "csp-report":{
      "document-uri":"<redacted>",
      "referrer":"<redacted>",
      "violated-directive":"connect-src",
      "effective-directive":"connect-src",
      "original-policy":"base-uri 'self';object-src 'none'; report-uri /csp-report; img-src 'self' data: *;style-src 'unsafe-eval' 'unsafe-inline' 'self' *; font-src 'unsafe-eval' 'unsafe-inline' 'self' data: *; connect-src 'report-sample' 'self' https://api2.amplitude.com *; media-src 'self' blob: data: *; script-src 'unsafe-eval' 'unsafe-inline' 'report-sample' 'self' cdn.amplitude.com https://maps.googleapis.com https://maps.gstatic.com https://connect.facebook.net; default-src 'unsafe-eval' 'unsafe-inline' 'report-sample' 'self' cdn.amplitude.com;",
      "disposition":"enforce",
      "blocked-uri":"https://api2.amplitude.com/2/httpapi",
      "status-code":200,
      "script-sample":""
   }
}

Hello @john.innocaption thank you for the information!

A couple of items that you can try:

• Check the server logs to see if there are any errors or warnings related to the CSP policy. This may provide some insights into what is happening and why the policy is not being applied as expected.
• Double-check that the policy is being sent correctly in the HTTP headers.

Nothing on the server, and on browsers I can see the CSP header just fine.

At this point, I think it may possibly be some sort of anti-tracking plugin that a user is using since it’s only the amplitude domain that keeps triggering this.