Reasons for having fonts.gstatic.com in the csp-report - without having the external URL inside the HTML/JS?

I implemented a Content-Security-Policy (CSP) and use the report-uri parameter to track violations of the policy.

While tracking the violations I have noticed such entries:

"csp-report": {
	"document-uri": "https://www.example.com/",
	"referrer": "",
	"violated-directive": "font-src",
	"effective-directive": "font-src",
	"disposition": "enforce",
	"blocked-uri": "https://fonts.gstatic.com/s/mulish/v12/1Ptvg83HX_SGhgqk0AotcqA.woff2",
	"status-code": 200,
	"script-sample": ""
}

The strange thing is that neither in the HTML, nor the Javascript files, nor in the CSS files I am using any external font. They are all clean from external URLs.

As you can see the script-sample is also empty.

I assume that it could be a browser extension of the user that injects the font into the website, which then gets blocked by CSP.

What else could it be?

I found this nice collection of CSP violations: https://github.com/nico3333fr/CSP-useful/blob/master/csp-wtf/explained.md

One seems to be similar to the one I discovered.

"blocked-uri": "https://fonts.gstatic.com/s/opensans/v13/PRmiXeptR36kaC0GEAetxko2lTMeWA_kmIyWrkNCwPc.woff2",

> Might be related to extension that allow to personalize fonts, like Font Changer

This is better than nothing.

If someone else discovers another source of the violation, please post it here.