The HTTP Content-Security-Policy-Report-Only response header allows for the content security policies to be tested and reported, but not enforced.


The HTTP Content-Security-Policy-Report-Only response header is helpful for web developers that want to experiment with content security policies. It allows them to monitor the effects of the policies, yet not have them enforced. Essentially, reports contain all of the violations that can occur.

Content-Security-Policy-Report-Only: <directive>


All of the directives from the HTTP Content-Security-Policy header can be used. However, the report-uri directive must be applied. Otherwise, this HTTP header will have no function.

Report Contents

Following is a description of the data that comes with the reports. All of the reports are in JSON format.


The blocked-uri directive indicates the URI of the resource that was blocked by the content security policy. If the origin differs from the document-uri then it is truncated to just the scheme, host, and port.


The document-uri directive is the URI of the document that caused the violation.


The disposition directive is set to either report or enforce. This is reflective of whether the Content-Security-Policy-Report-Only header is set.


The effective-directive directive refers to the directive that was violated, or whose enforcement led to the policy violation.


The original-policy directive indicates the original policy, as specified by the HTTP Content-Security-Policy-Report-Only header.


The referrer directive contains the referrer of the document that caused the policy violation.


The script-sample directive contains the first 40 characters of the code that caused the violation. This may be the beginning of an inline script, event handler, or style.


The status-code directive refers to the HTML status code of the relevant resource.


The violated-directive directive contains the name of the policy section that was violated.


The Content-Security-Policy-Report-Only response header allows website administrators and developers to test policies by reporting, yet not enforcing violations.

See also

Last updated: June 20, 2022