Content Security Policy Report-Only with report-uri
– mixed content detection
Loading images, executing JavaScript and everything else as usual but sending a Content Security Policy (CSP) violation report (with "disposition": "report"
instead of "disposition": "enforce"
) if something would be loaded from HTTP, not HTTPS.
CSP is a policy that lets the authors (or server administrators) of a web application inform the browser about the sources from which the application expects to load resources like images, scripts, styles, or even where to submit forms.
This Report-Only mode works with both report-uri
and report-to
directives, and is usually used for policy upgrades – an app can send both Content-Security-Policy
and Content-Security-Policy-Report-Only
headers with different policies.
The CSPRO (CSP Report-Only) response header:
Content-Security-Policy-Report-Only: default-src https: data: 'unsafe-inline'; report-uri https://wordy.has.report/report
-
default-src
: what's allowed by default, includes images, fonts, JavaScript and morehttps:
means HTTPS scheme onlydata:
used for the placeholder image below'unsafe-inline'
means JavaScript, CSS inlined right in the HTML source code, not in external files (e.g. code between<script>
and</script>
, handlers likeonmouseover
etc.)
report-uri
: where to send violation reports to
Image mixed content
an image from http://www.michalspacek.cz (allowed)
<script>
document.getElementById('allowed').onclick = function(e) {
document.getElementById('image').src = 'http://www.michalspacek.cz/i/images/photos/michalspacek-trademark-400x268.jpg';
}
</script>
-
Allowed even though the image source points to http://www.michalspacek.cz and not to https://www.michalspacek.cz
- My site supports HTTP Strict Transport Security (HSTS) so the request would be eventually auto-upgraded to HTTPS in browsers that support HSTS but CSP comes first
- Chrome plans to auto-upgrade all image mixed content
- Would be blocked if the policy was enforced and not report-only
- Will trigger a report, check Developer tools (Network and Console tabs)
- Check your reports
Related specs & documents
- Content Security Policy Level 3 Working Draft
- Content Security Policy Level 2
- Content Security Policy 1.0 (discontinued)