Limited availability
The Content-Security-Policy report-to directive indicates the name of the endpoint that the browser should use for reporting CSP violations.
If a CSP violation occurs, a report is generated that contains a serialized CSPViolationReportBody object instance. This report is sent to the URL that corresponds to the endpoint name, using the generic mechanisms defined in the Reporting API.
The server must separately provide the mapping between endpoint names and their corresponding URLs in the Reporting-Endpoints HTTP response header.
Content-Security-Policy: â¦; report-to <endpoint_name>
<endpoint_name> is the name of an endpoint provided by the Reporting-Endpoints HTTP response header. It can also be the name of a group that is provided by the server in the Report-To Deprecated HTTP response header.
A CSP violation report is a JSON-serialized Report object instance, with a type property that has a value of "csp-violation", and a body that is the serialized form of a CSPViolationReportBody object (see the respective objects for their property definitions). Reports are sent to the target endpoint(s) via a POST operation with a Content-Type of application/reports+json.
The JSON for a single report might look like this:
{
"age": 53531,
"body": {
"blockedURL": "inline",
"columnNumber": 39,
"disposition": "enforce",
"documentURL": "https://example.com/csp-report",
"effectiveDirective": "script-src-elem",
"lineNumber": 121,
"originalPolicy": "default-src 'self'; report-to csp-endpoint-name",
"referrer": "https://www.google.com/",
"sample": "console.log(\"lo\")",
"sourceFile": "https://example.com/csp-report",
"statusCode": 200
},
"type": "csp-violation",
"url": "https://example.com/csp-report",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
}
The report-to directive is intended to replace report-uri, and browsers that support report-to ignore the report-uri directive. However, until report-to is broadly supported you can specify both directives as shown:
Content-Security-Policy: â¦; report-uri https://endpoint.example.com; report-to endpoint_name
Note that other examples in this topic do not show report-uri.
A server can define the mapping between endpoint names and URLs using the Reporting-Endpoints header in the HTTP response. Any name can be used: here we've chosen name-of-endpoint.
Reporting-Endpoints: name-of-endpoint="https://example.com/csp-reports"
The server can set this endpoint name as the target for sending CSP violation reports to using the report-to directive:
Content-Security-Policy: default-src 'self'; report-to name-of-endpoint
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3