↩ Back Reports

Loading images, executing JavaScript and everything else as usual but sending a Content Security Policy violation report (with "disposition": "report" instead of "disposition": "enforce") if something would go wrong

The CSPRO (CSP Report-Only) header:

Content-Security-Policy-Report-Only: default-src 'self' 'report-sample'; report-to default

Try it with images

Loaded image

… and with JavaScript

Other CSPRO uses

Mixed content detection: let the browser report HTTP resources loaded into HTTPS pages but still load them
Content-Security-Policy-Report-Only: default-src https: 'unsafe-inline'; report-to default