More Content Security Policy with report-to

Sending even more Content Security Policy (CSP) violation reports with report-to, asynchronously and possibly grouping more reports together. Read general CSP reporting description for more details.

The CSP response header:

Content-Security-Policy: default-src 'none'; img-src 'self' https://www.michalspacek.cz; script-src 'nonce-9qO34X33CJ+cDBUrEV1+eVL8' 'self' 'report-sample'; style-src 'self' 'nonce-9qO34X33CJ+cDBUrEV1+eVL8'; form-action 'self'; report-to default

The Report-To response header:

Report-To: {"group":"default","max_age":1800,"endpoints":[{"url":"https://dirty.has.report/report"}],"include_subdomains":true}

Load any image

show the code

… any JavaScript file

show the code

… any CSS file

show the code

Submit a form anywhere

With form-action, you can limit where forms on your page can be submitted, so if an attacker would inject a fake form or would change the action of your existing form, the browser wouldn't submit it. Please note that form-action is not part of the default-src fallback, and needs to be explicitly specified if you want to limit where forms are to be submitted.

show the code

Related specs & documents