Content-Security-Policy-Report-Only

The directives of the Content-Security-Policy header can also be applied to Content-Security-Policy-Report-Only.

The CSP report-to directive should be used with this header, otherwise this header will be an expensive no-op machine.

This header reports violations that would have occurred. You can use this to iteratively work on your content security policy. You observe how your site behaves, watching for violation reports, then choose the desired policy enforced by the Content-Security-Policy header.

Content-Security-Policy-Report-Only: default-src https:; report-to /csp-violation-report-endpoint/

If you still want to receive reporting, but also want to enforce a policy, use the Content-Security-Policy header with the report-to directive.

Content-Security-Policy: default-src https:; report-to /csp-violation-report-endpoint/

The report JSON object is sent with an application/csp-report Content-Type and contains the following data:

blocked-uri

The URI of the resource that was blocked from loading by the Content Security Policy. If the blocked URI is from a different origin than the document-uri, then the blocked URI is truncated to contain just the scheme, host, and port.

disposition

Either "enforce" or "report" depending on whether the Content-Security-Policy header or the Content-Security-Policy-Report-Only header is used.

document-uri

The URI of the document in which the violation occurred.

effective-directive

The directive whose enforcement caused the violation.

original-policy

The original policy as specified by the Content-Security-Policy-Report-Only HTTP header.

referrer

The referrer of the document in which the violation occurred.

script-sample

The first 40 characters of the inline script, event handler, or style that caused the violation.

status-code

The HTTP status code of the resource on which the global object was instantiated.

violated-directive Deprecated

The directive whose enforcement caused the violation. The violated-directive is a historic name for the effective-directive field and contains the same value.

Let's consider a page located at http://example.com/signup.html. It uses the following policy, disallowing everything but stylesheets from cdn.example.com.

Content-Security-Policy-Report-Only: default-src 'none'; style-src cdn.example.com; report-to /_/csp-reports

The HTML of signup.html looks like this:

<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="UTF-8" />
    <title>Sign Up</title>
    <link rel="stylesheet" href="css/style.css" />
  </head>
  <body>
    Page content
  </body>
</html>

Can you spot the violation? Stylesheets are only allowed to be loaded from cdn.example.com, yet the website tries to load one from its own origin (http://example.com). A browser capable of reporting CSP violations will send the following report as an HTTP POST request to http://example.com/_/csp-reports, when the document is visited:

{
  "csp-report": {
    "blocked-uri": "http://example.com/css/style.css",
    "disposition": "report",
    "document-uri": "http://example.com/signup.html",
    "effective-directive": "style-src-elem",
    "original-policy": "default-src 'none'; style-src cdn.example.com; report-to /_/csp-reports",
    "referrer": "",
    "status-code": 200,
    "violated-directive": "style-src-elem"
  }
}

The report includes the full path to the violating resource in blocked-uri which may not always the case. For example, when the signup.html would attempt to load CSS from http://anothercdn.example.com/stylesheet.css, the browser would not include the full path but only the origin (http://anothercdn.example.com). This is done to prevent leaking sensitive information about cross-origin resources.

• Content-Security-Policy
• CSP report-to directive
• CSP report-uri directive Deprecated