The HTTP Content-Security-Policy-Report-Only response header allows for the content security policies to be tested and reported, but not enforced.
The HTTP Content-Security-Policy-Report-Only response header is helpful for web developers that want to experiment with content security policies. It allows them to monitor the effects of the policies, yet not have them enforced. Essentially, reports contain all of the violations that can occur.
All of the directives from the HTTP Content-Security-Policy header can be used. However, the
report-uri directive must be applied. Otherwise, this HTTP header will have no function.
Following is a description of the data that comes with the reports. All of the reports are in JSON format.
blocked-uri directive indicates the URI of the resource that was blocked by the content security policy. If the origin differs from the
document-uri then it is truncated to just the scheme, host, and port.
document-uri directive is the URI of the document that caused the violation.
disposition directive is set to either report or enforce. This is reflective of whether the Content-Security-Policy-Report-Only header is set.
effective-directive directive refers to the directive that was violated, or whose enforcement led to the policy violation.
original-policy directive indicates the original policy, as specified by the HTTP Content-Security-Policy-Report-Only header.
referrer directive contains the referrer of the document that caused the policy violation.
script-sample directive contains the first 40 characters of the code that caused the violation. This may be the beginning of an inline script, event handler, or style.
status-code directive refers to the HTML status code of the relevant resource.
violated-directive directive contains the name of the policy section that was violated.
The Content-Security-Policy-Report-Only response header allows website administrators and developers to test policies by reporting, yet not enforcing violations.