Content Security Policy Report-Only with report-uri – mixed content detection

Loading images, executing JavaScript and everything else as usual but sending a Content Security Policy (CSP) violation report (with "disposition": "report" instead of "disposition": "enforce") if something would be loaded from HTTP, not HTTPS.

CSP is a policy that lets the authors (or server administrators) of a web application inform the browser about the sources from which the application expects to load resources like images, scripts, styles, or even where to submit forms. This Report-Only mode works with both report-uri and report-to directives, and is usually used for policy upgrades – an app can send both Content-Security-Policy and Content-Security-Policy-Report-Only headers with different policies.

The CSPRO (CSP Report-Only) response header:

Content-Security-Policy-Report-Only: default-src https: data: 'unsafe-inline'; report-uri

Image mixed content

Loaded image

an image from (allowed)

show the code

Related specs & documents