HHVM has a behaviour where it always treats the post body as decodable data even when the content-type is application/json or application/csp-report.
This is causing some CSP reports to be misinterpreted. Google suggests that setting hhvm.virtual_host[default][always_decode_post_data] = false fixes this issue.
Once upon a time I had a patch for this ( https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/306548/ ) but I abandoned it as I don't think I really understood how our hhvm config is set. In any case, I'd appreciate if the config could be changed or someone can point me in the right direction on how to write a patch for this.