This allows me to run javascripts locally, run php scripts on my server, get images from my server, access the device file system, play media files, use google maps and geocoding etc.
On the server side I use a script to capture and email the CSP violations to myself. You can enable server side CSP logging by implementing the report-uri tag and the script url. report-uri is deprecated and browsers that support the new report-to tag will ignore report-uri. You can read all about it in the link I provided. For now, report-uri seems to be working on iOS and Androd but test it on your flavor.
<?php
// Note: this script requires PHP = 5.4.
define('EMAIL', '
ad...@mydomain.com'); // Specify the email address that receives the reports.
define('SUBJECT', 'mydomain CSP violation'); // Specify the desired email subject for violation reports.
// Send `204 No Content` status code.
http_response_code(204);
// Get the raw POST data.
$data = file_get_contents('php://input');
// Only continue if it’s valid JSON that is not just `null`, `0`, `false` or an
// empty string, i.e. if it could be a CSP violation report.
if ($data = json_decode($data))
{
// Prettify the JSON-formatted data.
$data = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES );
// Mail the CSP violation report.
mail(EMAIL, SUBJECT, $data, 'Content-Type: text/plain;charset=utf-8');
error_log($data);
}
else
error_log("Empty CSP violation string");
?>