report-uri
– mixed content detection
Loading images, executing JavaScript and everything else as usual but sending a Content Security Policy (CSP) violation report (with "disposition": "report"
instead of "disposition": "enforce"
) if something would be loaded from HTTP, not HTTPS.
CSP is a policy that lets the authors (or server administrators) of a web application inform the browser about the sources from which the application expects to load resources like images, scripts, styles, or even where to submit forms.
This Report-Only mode works with both report-uri
and report-to
directives, and is usually used for policy upgrades – an app can send both Content-Security-Policy
and Content-Security-Policy-Report-Only
headers with different policies.
Content-Security-Policy-Report-Only: default-src https: data: 'unsafe-inline'; report-uri https://fetus.has.report/report.php
default-src
: what's allowed by default, includes images, fonts, JavaScript and more
https:
means HTTPS scheme onlydata:
used for the placeholder image below'unsafe-inline'
means JavaScript, CSS inlined right in the HTML source code, not in external files (e.g. code between <script>
and </script>
, handlers like onmouseover
etc.)report-uri
: where to send violation reports toan image from http://www.michalspacek.cz (allowed)
<script>
document.getElementById('allowed').onclick = function(e) {
document.getElementById('image').src = 'http://www.michalspacek.cz/i/images/photos/michalspacek-trademark-400x268.jpg';
}
</script>