TYPO3 Core

How gets that third-party code in? By a tag manager or other loader script which then loads additional code? Then a solution might be to use strict-dynamic:
https://content-security-policy.com/strict-dynamic/

Then the "root script" is always trusted and can load additional scripts from other domains without adjusting your policy.
Please also mind the fallbacks for browsers which does not support strict-dynamic currently (from the major browsers currently only Firefox on Android).

You might also use the PolicyMutatedEvent to adjust your policy:
https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/Events/Events/Core/Security/PolicyMutatedEvent.html
This way, you can check the request and set the report-uri accordingly.

The amount of requests cannot be lowered directly, because the requests are send by the browsers. Indirectly with adjusting the report-uri endpoint, for example, by restricting the IP adresses (with the mentioned event).

Chris Müller wrote in #note-1:

How gets that third-party code in? By a tag manager or other loader script which then loads additional code? Then a solution might be to use strict-dynamic:
https://content-security-policy.com/strict-dynamic/

Then the "root script" is always trusted and can load additional scripts from other domains without adjusting your policy.
Please also mind the fallbacks for browsers which does not support strict-dynamic currently (from the major browsers currently only Firefox on Android).

I do not want to allow this, as we cannot trust the scripts well enough for security reasons.
There is a possibility that they could download harmful content in the future.

You might also use the PolicyMutatedEvent to adjust your policy:
https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ApiOverview/Events/Events/Core/Security/PolicyMutatedEvent.html
This way, you can check the request and set the report-uri accordingly.

The amount of requests cannot be lowered directly, because the requests are send by the browsers. Indirectly with adjusting the report-uri endpoint, for example, by restricting the IP adresses (with the mentioned event).

How exactly can I use the PolicyMutatedEvent to restrict it to certain IP addresses?
When I try to remove the Directive::ReportUri, it is added again due to the code here:
https://github.com/TYPO3/typo3/blob/6b9220ed3f878e8c09f9e1dbb6e058eca8b664f3/typo3/sysext/backend/Classes/Middleware/ContentSecurityPolicyHeaders.php#L67

You might be able to 'abuse' setting the reportURI like this:

$GLOBALS['TYPO3_CONF_VARS']['BE']['contentSecurityPolicyReportingUrl']
        = 'abc:invalid';

$GLOBALS['TYPO3_CONF_VARS']['FE']['contentSecurityPolicyReportingUrl']
        = 'abc:invalid';

This should then return a `null` URI (InvalidArgumentException), which in turn would prevent adding a Report-URI.

(Having said that - might still be worth investigating if removing a report-uri could be made easier, as it's an optional argument [and actually deprecated, but report-for seems to not have been widely adopted yet])