Content Security Policy Report-Only with report-to

Loading images, executing JavaScript and everything else as usual but sending a Content Security Policy (CSP) violation report (with "disposition": "report" instead of "disposition": "enforce") if something would go wrong.

CSP is a policy that lets the authors (or server administrators) of a web application inform the browser about the sources from which the application expects to load resources like images, scripts, styles, or even where to submit forms. This Report-Only mode works with both report-uri and report-to directives, and is usually used for policy upgrades – an app can send both Content-Security-Policy and Content-Security-Policy-Report-Only headers with different policies.

The CSPRO (CSP Report-Only) response header:

Content-Security-Policy-Report-Only: default-src data: 'self' 'nonce-D9fc0pgHD7LQzJAeYii/Kg4R' 'report-sample'; report-to default

The Report-To response header:

Report-To: {"group":"default","max_age":1800,"endpoints":[{"url":""}],"include_subdomains":true}

Try it with images

Loaded image

an image from (allowed)

show the code

… and with JavaScript

show the code

Related specs & documents