The HTTP Content-Security-Policy-Report-Only
response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST
request to the specified URI.
For more information, see also this article on Content Security Policy (CSP).
Header type | Response header |
---|---|
Forbidden header name | no |
This header is not supported inside a <meta> element. |
Content-Security-Policy-Report-Only: <policy-directive>; <policy-directive>
The directives of the Content-Security-Policy
header can also be applied to Content-Security-Policy-Report-Only
.
The CSP report-uri
directive should be used with this header, otherwise this header will be an expensive no-op machine.
This header reports violations that would have occurred. You can use this to iteratively work on your content security policy. You observe how your site behaves, watching for violation reports, then choose the desired policy enforced by the Content-Security-Policy
header.
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/
If you still want to receive reporting, but also want to enforce a policy, use the Content-Security-Policy
header with the report-uri
directive.
Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/
The report JSON object contains the following data:
document-uri
referrer
blocked-uri
violated-directive
original-policy
Content-Security-Policy
HTTP header.Content-Security-Policy
header or the Content-Security-Header-Report-Only
header is used.http://example.com/signup.html
. It uses the following policy, disallowing everything but stylesheets from cdn.example.com
. Content-Security-Policy-Report-Only: default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reportsThe HTML of
signup.html
looks like this: <!DOCTYPE html> <html> <head> <title>Sign Up</title> <link rel="stylesheet" href="css/style.css"> </head> <body> ... Content ... </body> </html>Can you spot the violation? Stylesheets are only allowed to be loaded from
cdn.example.com
, yet the website tries to load one from its own origin (http://example.com
). A browser capable of enforcing CSP will send the following violation report as a POST request to http://example.com/_/csp-reports
, when the document is visited: { "csp-report": { "document-uri": "http://example.com/signup.html", "referrer": "", "blocked-uri": "http://example.com/css/style.css", "violated-directive": "style-src cdn.example.com", "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports", "disposition": "report" } }
As you can see, the report includes the full path to the violating resource in blocked-uri
. This is not always the case. For example, when the signup.html
would attempt to load CSS from http://anothercdn.example.com/stylesheet.css
, the browser would not include the full path but only the origin (http://anothercdn.example.com
). This is done to prevent leaking sensitive information about cross-origin resources.
Specification | Status | Comment |
---|---|---|
Content Security Policy Level 3 | Editor's Draft | No changes. |
Content Security Policy Level 2 | Recommendation | Initial definition. |
Feature | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari |
---|---|---|---|---|---|---|
Basic support | 25 | 14 | 23 | 10 | 15 | 7 |
Feature | Android webview | Chrome for Android | Edge mobile | Firefox for Android | IE mobile | Opera Android | iOS Safari |
---|---|---|---|---|---|---|---|
Basic support | 4.4 | Yes | Yes | 23 | ? | ? | 7.1 |
Content-Security-Policy
report-uri
directive
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only