Document-Isolation-Policy-Report-Only
The HTTP Document-Isolation-Policy-Report-Only response header tests a Document-Isolation-Policy without enforcement, reporting violations occurring when cross-origin subresources lack the required opt-in headers.
Usage
Deploying
Document-Isolation-Policy
with isolate-and-require-corp blocks cross-origin
subresources lacking CORS or
Cross-Origin-Resource-Policy
headers. The Document-Isolation-Policy-Report-Only
header detects these violations and sends reports to a
designated endpoint without blocking the resources.
The document does not receive crossOriginIsolation
in report-only mode.
The header accepts the same values as
Document-Isolation-Policy:
isolate-and-require-corp and
isolate-and-credentialless. Pair the header with a
report-to parameter pointing to an endpoint
configured via
Reporting-Endpoints. Each
violation report includes the blocked URL, resource
destination, and a disposition of "reporting" to
distinguish report-only from enforcement reports.
A common deployment pattern starts with the report-only header to identify which subresources need CORS or CORP headers. After resolving all violations, the site switches to the enforcing Document-Isolation-Policy header. Both headers are valid simultaneously. The enforcement header blocks violating resources while the report-only header monitors for a stricter policy.
The header only takes effect in secure contexts (HTTPS).
Note
Document-Isolation-Policy-Report-Only is supported in Chromium-based browsers. Firefox and Safari have not published support signals.
Values
none
The default value. No violations are monitored.
isolate-and-require-corp
Reports violations for cross-origin subresources lacking CORS or Cross-Origin-Resource-Policy headers. Resources load normally despite the violation.
isolate-and-credentialless
Reports violations under the credentialless isolation
model. Because credentialless mode strips
credentials from no-CORS cross-origin requests rather
than blocking them, this mode generates fewer reports
than isolate-and-require-corp.
Directives
report-to
The report-to parameter specifies the reporting
endpoint name. Without this parameter, violations are
detected but not delivered to any endpoint.
Example
Testing strict isolation before enforcement. The browser loads all resources normally but sends reports for any cross-origin subresource missing CORS or CORP headers.
Document-Isolation-Policy-Report-Only:
isolate-and-require-corp; report-to="dip-reports"
Reporting-Endpoints:
dip-reports="https://example.re/reports"
Enforcing credentialless mode while monitoring for a future upgrade to strict CORP requirements.
Document-Isolation-Policy:
isolate-and-credentialless
Document-Isolation-Policy-Report-Only:
isolate-and-require-corp; report-to="dip-audit"
Takeaway
The Document-Isolation-Policy-Report-Only header monitors subresource violations without blocking them, enabling safe testing of Document-Isolation-Policy before enforcement.
See also
- Document Isolation Policy (WICG)
- Document Isolation Policy Explainer (Google)
- Document-Isolation-Policy
- Cross-Origin-Embedder-Policy
- Cross-Origin-Embedder-Policy-Report-Only
- Cross-Origin-Resource-Policy
- Origin-Agent-Cluster
- HTTP headers