Browser Reporting

This is a live reporting demo tool. Although you'll dive deep into the technologies mentioned below, you'll not dive very deep, and instead, we'll focus on the reporting side of things. The headers shown here are real headers sent by the server and received by your browser, with real values. You can click around and see how things behave and how reporting works. These demos also work on smaller screens and mobile devices, although sometimes it might be handy to use a desktop browser to open developer tools (F12, Ctrl/Cmd+Shift+I) and watch the Console and Network tabs. In Chrome, you can also use chrome://net-export/ (copy/paste the link) to see "hidden" asynchronous reports in exported logs. See my article about how to read the logs.

Not all of these use Reporting API, some are proprietary reporting mechanisms and you'll notice them easily – they don't use the Report-To header.

  1. Content Security Policy report-uri
  2. Content Security Policy report-to
  3. More CSP report-to – load resources by specified URL, submit forms
  4. CSP Report-Only report-uri – mixed content detection
  5. CSP Report-Only report-to
  6. Crash
  7. Deprecation
  8. Intervention
  9. Network Error Logging
  10. Permissions Policy
  11. Permissions Policy in iframes
  12. Permissions Policy Report-Only

Removed Browser Reporting

Browsers used to send some reports but don't anymore as these features have been (mostly) removed:

Other Reporting

  1. Certification Authority Authorization (CAA)
  2. Domain-based Message Authentication, Reporting and Conformance (DMARC)
  3. SMTP TLS Reporting (SMTP TLSRPT)

Trusted Types DOM-based XSS Prevention & Reporting

Trusted Types require you to escape the data before passing it to a property like innerHTML or a method like document.write(). These dangerous features that can execute arbitrary JavaScript are called sinks and when Trusted Types are enabled, these sinks only accept a TrustedHTML object. You can produce such objects by creating a policy and calling its createHTML() method. See my article about DOM-based XSS and Trusted Types for more details.

  1. Injection Sinks Detection with Trusted Types and CSPRO
  2. Prevent DOM-XSS with Trusted Types and a custom policy
  3. Prevent DOM-XSS with Trusted Types and a default policy

Your Reports