Turn it into block mode (not report only mode) as it’s easier to work out if something is being caught.
Try embedding a YouTube video to your page and see if the video runs in your browser (under the YouTube video, the ‘share’ option, then ’embed’, the code should be an iframe). If the video plays OK then your site is allowing third party access, if it doesn’t it is being blocked.
If it is blocked then check the CSP log for a youtube entry – no entry could mean the browser is not able to report the violation. You will need to look at the network traffic using your browser’s developer tools, see if the call is being blocked. Sometimes the call is blocked by another plugin such as Wordfence.
If YouTube is not blocked then either the header is not being sent or you have allowed access to third parties (using a ‘*’ for example). Use your browser’s developer tools and look for a response header of “Content-Security-Policy:” – if that exists the plugin is setting the header, if it isn’t then the plugin might be disabled or something else is happening.
