↩ Back Reports

Sending Content Security Policy violation reports with Reporting API using the Report-To header, asynchronously and out-of-band, when the browser feels like

The CSP header:

Content-Security-Policy: default-src 'none'; img-src 'self' https://www.michalspacek.cz; script-src 'nonce-DYqDP9cvx3fhAUyLFizL0Q==' 'self' 'report-sample'; style-src 'self'; report-to default

The Report-To header:

Report-To: {"group":"default","max_age":60,"endpoints":[{"url":"https://erato.has.report/report.php"}],"include_subdomains":true}

Try it with images

Loaded image

another image from https://www.michalspacek.cz (allowed)

Now simulate an attacker:
an image from https://example.com

… and with JavaScript

(allowed, the script tag contains nonce="DYqDP9cvx3fhAUyLFizL0Q==")

Simulate an attacker:
blocked JS tag