↩ Back Reports

Sending Content Security Policy violation reports

The CSP header:

Content-Security-Policy: default-src 'none'; img-src 'self' https://www.michalspacek.cz; script-src 'nonce-XwgruynAzJWhsRpaFYVE4g==' 'self' 'report-sample'; style-src 'self'; report-uri https://hide.has.report/report.php

Try it with images

Loaded image

another image from https://www.michalspacek.cz (allowed)

Now simulate an attacker:
an image from https://example.com

… and with JavaScript

(allowed, the script tag contains nonce="XwgruynAzJWhsRpaFYVE4g==")

Simulate an attacker:
blocked JS tag