Content-Security-Policy-Report-Only
The HTTP Content-Security-Policy-Report-Only response header allows for the content security policies to be tested and reported, but not enforced.
Usage
The HTTP Content-Security-Policy-Report-Only response header is helpful for web developers that want to experiment with content security policies. It allows them to monitor the effects of the policies, yet not have them enforced. Essentially, reports contain all of the violations that can occur.
Content-Security-Policy-Report-Only: <directive>
Note
All of the directives from the HTTP Content-Security-Policy header can be used. However, the report-uri directive must be applied. Otherwise, this HTTP header will have no function.
Report Contents
Following is a description of the data that comes with the reports. All of the reports are in JSON format.
blocked-uri
The blocked-uri directive indicates the URI of the resource that was blocked by the content security policy. If the origin differs from the document-uri then it is truncated to just the scheme, host, and port.
document-uri
The document-uri directive is the URI of the document that caused the violation.
disposition
The disposition directive is set to either report or enforce. This is reflective of whether the Content-Security-Policy-Report-Only header is set.
effective-directive
The effective-directive directive refers to the directive that was violated, or whose enforcement led to the policy violation.
original-policy
The original-policy directive indicates the original policy, as specified by the HTTP Content-Security-Policy-Report-Only header.
referrer
The referrer directive contains the referrer of the document that caused the policy violation.
script-sample
The script-sample directive contains the first 40 characters of the code that caused the violation. This may be the beginning of an inline script, event handler, or style.
status-code
The status-code directive refers to the HTML status code of the relevant resource.
violated-directive
The violated-directive directive contains the name of the policy section that was violated.
Takeaway
The Content-Security-Policy-Report-Only response header allows website administrators and developers to test policies by reporting, yet not enforcing violations.