@fred-wang reported (in this bug) that Firefox and Safari unlike Chrome do not pass the test security-policy/securitypolicyviolation/source-file.html. The expectation of this test seem to be that the source file of a violation is based on on the source map included in the JavaScript source code. Firefox and seemingly Safari don't implement this. It's impossible to tell what the correct behavior would be, because source file is only defined as the following in the CSP specification:

a source file, which is either null or a URL

Thinking out load: I am personally not sure about the restrictions placed on source mapping, but I am worried that this would require additional network requests or if it might even allow attackers to hide the actual source of a JS-based attack.

Even without specifying that it should use source mapping, there is probably room for a better definition.