report-uri – mixed content detection
Loading images, executing JavaScript and everything else as usual but sending a Content Security Policy (CSP) violation report (with "disposition": "report" instead of "disposition": "enforce") if something would be loaded from HTTP, not HTTPS.
CSP is a policy that lets the authors (or server administrators) of a web application inform the browser about the sources from which the application expects to load resources like images, scripts, styles, or even where to submit forms.
This Report-Only mode works with both report-uri and report-to directives, and is usually used for policy upgrades – an app can send both Content-Security-Policy and Content-Security-Policy-Report-Only headers with different policies.
Content-Security-Policy-Report-Only: default-src https: data: 'unsafe-inline'; report-uri https://xylem.has.report/report.phpdefault-src: what's allowed by default, includes images, fonts, JavaScript and more
https: means HTTPS scheme onlydata: used for the placeholder image below'unsafe-inline' means JavaScript, CSS inlined right in the HTML source code, not in external files (e.g. code between <script> and </script>, handlers like onmouseover etc.)report-uri: where to send violation reports to
an image from http://www.michalspacek.cz (allowed)
<script>
document.getElementById('allowed').onclick = function(e) {
document.getElementById('image').src = 'http://www.michalspacek.cz/i/images/photos/michalspacek-trademark-400x268.jpg';
}
</script>