Browser Reporting

This is a live reporting demo tool. Although you'll dive deep into the technologies mentioned below, you'll not dive very deep, and instead, we'll focus on the reporting side of things. The headers shown here are real headers sent by the server and received by your browser, with real values. You can click around and see how things behave and how reporting works. These demos also work on smaller screens and mobile devices, although sometimes it might be handy to use a desktop browser to open developer tools (F12, Ctrl/Cmd+Shift+I) and watch the Console and Network tabs. In Chrome, you can also use chrome://net-export/ (copy/paste the link) to see "hidden" asynchronous reports in exported logs. See my article about how to read the logs.

Not all of these use Reporting API, some are proprietary reporting mechanisms and you'll notice them easily – they don't use the Report-To header.

  1. Content Security Policy report-uri
  2. Content Security Policy report-to
  3. More CSP report-to – load resources by specified URL, submit forms
  4. CSP Report-Only report-uri – mixed content detection
  5. CSP Report-Only report-to
  6. Crash
  7. Deprecation
  8. Intervention
  9. Network Error Logging
  10. Expect-CT
  11. Permissions Policy
  12. Permissions Policy in iframes
  13. Permissions Policy Report-Only

Removed Browser Reporting

Browsers used to send some reports but don't anymore as these features have been (mostly) removed:

Other Reporting

  1. Certification Authority Authorization (CAA)
  2. Domain-based Message Authentication, Reporting and Conformance (DMARC)
  3. SMTP TLS Reporting (SMTP TLSRPT)

Trusted Types DOM-based XSS Prevention & Reporting

  1. Injection Sinks Detection with Trusted Types and CSPRO
  2. Prevent DOM-XSS with Trusted Types and a custom policy
  3. Prevent DOM-XSS with Trusted Types and a default policy

Your Reports

Meta

Tools