Hi again
Sorry it took a while but I have tested a couple of pages violation reports and I can see a number of violations which I would not expect to be cancelled due to duplication (because, for example, there is a single violation report attempt logged to a given blocked-uri - which was cancelled). For clarity, I put my findings in gists:
I am pretty sure (from the doc you linked) that the de-dupe is intended to be done using blocked-uri as the key for uniqueness - please correct me if you know/believe otherwise - I tried 3 different keys for uniqueness, just in case.
I also checked the logs from my report-uri endpoint and found that the number of inbound requests is exactly equal to the number of un-cancelled violation reports shown in Chrome - there are zero failed report requests on my endpoint.
So...bearing in mind all the above, I think it must be some sort of an issue in Chrome. I guess perhaps some throttling - perhaps due to the (intentionally since i am testing CSP in general, not a "real" policy) number of violations my page is triggering.
Finally, just for clarity, I am using the "Modify Headers" extension for Chrome to add the CSP response header - but I have previously tested sending the header from a web server and that exhibited the same behaviour.
Hoping someone can shed some light on this...and please let me know if any more info is needed.
Cheers
Neil