CSPViolationReportBody

Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

The CSPViolationReportBody interface contains the report data for a Content Security Policy (CSP) violation. CSP violations are thrown when the webpage attempts to load a resource that violates the CSP set by the Content-Security-Policy HTTP header.

Note: this interface is similar, but not identical to, the JSON objects sent back to the report-uri or report-to policy directive of the Content-Security-Policy header.

Instance properties

Also inherits properties from its parent interface, ReportBody.

CSPViolationReportBody.blockedURL Read only: A string representing the URL of the resource that was blocked because it violates the CSP.
CSPViolationReportBody.columnNumber Read only: The column number in the script at which the violation occurred.
CSPViolationReportBody.disposition Read only: Indicates how the violated policy is configured to be treated by the user agent. This will be "enforce" or "report".
CSPViolationReportBody.documentURL Read only: A string representing the URL of the document or worker in which the violation was found.
CSPViolationReportBody.effectiveDirective Read only: A string representing the directive whose enforcement uncovered the violation.
CSPViolationReportBody.lineNumber Read only: The line number in the script at which the violation occurred.
CSPViolationReportBody.originalPolicy Read only: A string containing the policy whose enforcement uncovered the violation.
CSPViolationReportBody.referrer Read only: A string representing the URL for the referrer of the resources whose policy was violated, or null.
CSPViolationReportBody.sample Read only: A string representing a sample of the resource that caused the violation, usually the first 40 characters. This will only be populated if the resource is an inline script, event handler, or style — external resources causing a violation will not generate a sample.
CSPViolationReportBody.sourceFile Read only: If the violation occurred as a result of a script, this will be the URL of the script; otherwise, it will be null. Both columnNumber and lineNumber should have non-null values if this property is not null.
CSPViolationReportBody.statusCode Read only: A number representing the HTTP status code of the document or worker in which the violation occurred.

Instance methods

Also inherits methods from its parent interface, ReportBody.

CSPViolationReportBody.toJSON(): A serializer which returns a JSON representation of the CSPViolationReportBody object.

Examples

Obtaining a `CSPViolationReportBody` object

To obtain a CSPViolationReportBody object, you must configure your page so that a CSP violation will occur. In this example, we will set our CSP to only allow content from the site's own origin, and then attempt to load a script from apis.google.com, which is an external origin.

First, we will set our Content-Security-Policy header:

http

Content-Security-Policy: default-src 'self';

Then, we will attempt to load an external script:

html

<!-- This should generate a CSP violation -->
<script src="https://apis.google.com/js/platform.js"></script>

Finally, we will create a new ReportingObserver object to listen for CSP violations.

const observer = new ReportingObserver(
  (reports, observer) => {
    const cspViolation = reports[0].body;
  },
  {
    types: ["csp-violation"],
    buffered: true,
  }
);

observer.observe();

Specifications

Specification
Content Security Policy Level 3 # cspviolationreportbody

Browser compatibility

BCD tables only load in the browser