Content-Security-Policy-Report-Only header - HTTP | MDN (original) (raw)
Syntax
Content-Security-Policy-Report-Only: <policy-directive>; …; <policy-directive>; report-to <endpoint-name>
Directives
The Content-Security-Policy-Report-Only header supports all Content-Security-Policy directives except sandbox, which is ignored.
**Note:**The CSP report-to directive should be used with this header or it will have no effect.
Examples
Using Content-Security-Policy-Report-Only to send CSP reports
To use the report-to directive, you first need to define a corresponding endpoint using the Reporting-Endpoints response header. In the example below, we define a single endpoint named csp-endpoint.
Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"
We can then define the destination of the report using report-to and report-uri, as shown below. Note that this particular report would be triggered if the page loaded resources insecurely, or from inline code.
Content-Security-Policy-Report-Only: default-src https:;
report-uri /csp-report-url/;
report-to csp-endpoint;
**Note:**The report-to directive is preferred over the deprecated report-uri, but we declare both because report-to does not yet have full cross-browser support.
Specifications
| Specification |
|---|
| Content Security Policy Level 3 # cspro-header |
Browser compatibility
See also
- Content-Security-Policy
- CSP report-to directive
- CSP report-uri directive Deprecated