Browser Reporting
This is a live reporting demo tool. Although you'll dive deep into the technologies mentioned below, you'll not dive very deep, and instead, we'll focus on the reporting side of things. The headers shown here are real headers sent by the server and received by your browser, with real values. You can click around and see how things behave and how reporting works. These demos also work on smaller screens and mobile devices, although sometimes it might be handy to use a desktop browser to open developer tools (F12, Ctrl/Cmd+Shift+I) and watch the Console and Network tabs. In Chrome, you can also use chrome://net-export/ (copy/paste the link) to see "hidden" asynchronous reports in exported logs. See my article about how to read the logs.
Not all of these use Reporting API, some are proprietary reporting mechanisms and you'll notice them easily – they don't use the Report-To
header.
- Content Security Policy
report-uri
- Content Security Policy
report-to
- More CSP
report-to
– load resources by specified URL, submit forms - CSP Report-Only
report-uri
– mixed content detection - CSP Report-Only
report-to
- Crash
- Deprecation
- Intervention
- Network Error Logging
- Permissions Policy
- Permissions Policy in iframes
- Permissions Policy Report-Only
Removed Browser Reporting
Browsers used to send some reports but don't anymore as these features have been (mostly) removed:
Other Reporting
- Certification Authority Authorization (CAA)
- Domain-based Message Authentication, Reporting and Conformance (DMARC)
- SMTP TLS Reporting (SMTP TLSRPT)
Trusted Types DOM-based XSS Prevention & Reporting
Trusted Types require you to escape the data before passing it to a property like innerHTML
or a method like document.write()
.
These dangerous features that can execute arbitrary JavaScript are called sinks and when Trusted Types are enabled, these sinks only accept a TrustedHTML
object.
You can produce such objects by creating a policy and calling its createHTML()
method.
See my article about DOM-based XSS
and Trusted Types for more details.
- Injection Sinks Detection with Trusted Types and CSPRO
- Prevent DOM-XSS with Trusted Types and a custom policy
- Prevent DOM-XSS with Trusted Types and a default policy
Your Reports
- View your reports (kept for 30 days)
-
Your canhas.report reporting subdomain is
guess
- Instead, you can send reports to Report URI report aggregator and monitoring platform:
Meta
- Source code
- The domain name can has is a reference to this meme
Tools
- report-uri.com Browser reporting aggregator ← I've worked on this one
- securityheaders.com Security headers tester
- Other testers: hardenize.com, observatory.mozilla.org