HTTP headers | Content-Security-Policy-Report-Only
Last Updated :
31 Oct, 2019
The HTTP
Content-Security-Policy-Report-Only response header allows the web developers to test the policies by keeping an eye on their effects. These violation reports consist of JSON documents sent through HTTP POST request to the specified URI. It is a response-type header
Syntax:
Content-Security-Policy-Report-Only: <policy-directive>
Directives: This header accepts a single header mentioned above and described below:
- <policy-directive>: In this header the
content-security-policy header can be used. The report-uri directives should used with this header.
Note: The
report-uri directive is intended to be replaced by
report-to directive,
report-to is still not supported by most of the browsers. So, to tackle the compatibility issues, one can specify both
report-uri and
report-to as it would not only add compatibility with current browsers but also add forward compatibility when the browsers will get
report-to support.
Content–Security-Policy: ….; report-uri
https://written.geeksforgeeks.com; report-to groupname
The browsers supporting
report-to will ignore
report-uri.
- report-to: Shoots a
SecurityPolicyViolationEvent. As stated above, not supported by all the browsers as of now.
Examples: The purpose of the header is to report any violations that might have occurred. It can be used iteratively to work upon a content security policy. One can observe how their site behaves, watching for
violation reports and/or
malware redirects, then choose the appropriate policy imposed by
Content-Security-Policy header.
Content-Security-Policy-Report-Only: default-src https:;
report-uri /csp-violation-report-endpoint/
If one wishes to receive reporting while still imposing the policy, they can use
Content-Security-Policy header with
report-uri directive.
Content-Security-Policy: default-src https:;
report-uri /csp-violation-report-endpoint/
To check this Content-Security-Policy-Report-Only in action go to
Inspect Element -> Network check the request header for Content-Security-Policy-Report-Only like below, Content-Security-Policy-Report-Only is highlighted you can see.
Violation report syntax: The JSON report contains the following data:
- blocked-uri: The URI of the resource blocked by the Content Security Policy from being loaded. If the blocked URI is from a different source than the document uri, then the blocked URI is shortened to contain just the scheme, host and port.
- Disposition: Either
“enforce” or “reporting”. Depends on whether the Content-Security-Policy or the Content-Security-Policy-Report-Only header is used.
- document-uri: The URI of the document that encountered violation.
- effective-directive: The directive whose implementation caused the violation.
- original-policy: The original policy specified by the
Content-Security-Policy-Report-Only HTTP header.
- referrer: The referrer of the document that encountered violation.
- script-sample: The first 40 characters of the inline script, event handler, or style that gave rise to the violation.
- status-code: The HTTP status code of the resource on which the global object was incorporated.
- violation-directive: The name of the policy section violated.
Sample violation report: The page located at
http://geeksforgeeks.com/signup.html. Below is the policy implemented, that only allows the stylesheet from
cdn.geeksforgeeks.com.
Content-Security-Policy-Report-Only: default-src ‘none’;
style-src cdn.geeksforgeeks.com; report-uri /_/csp-reports
- HTML code: The HTML of
signup.html looks like this:
html
<!DOCTYPE html>
<html>
<head>
<title>Sign Up</title>
<link rel=”stylesheet” href=”css/style.css”>
</head>
<body>
. . .
</body>
</html>
- Violation:Here the CSS is only allowed to download from the CDN but in the HTML code, the browsers will try to load from its own local file because the browsers will send the following violation.
{
“csp-report”:{
“document-uri”: “http://geeksforgeeks.com/signup.html”,
“referrer”: “”,
“blocked-uri”: “http://geeksforgeeks.com/css/style.css”,
“violated-directive”: “style-src cdn.geeksforgeeks.com”,
“original-policy”: “default-src ‘none’;
style-src cdn.geeksforgeeks.com; report-uri /_/csp-reports”,
“disposition”: “report”
}
}
Supported Browsers: The browsers are compatible with
HTTP Content-Security-Policy-Report-Only headers are listed below:
- Google Chrome 25.0
- Internet Explorer 10.0
- Firefox 23.0
- Safari 7.0
- Opera 15.0
Similar Reads
HTTP headers | Content-Security-Policy The Content Security Policy response header field is a tool to implement defense in depth mechanism for protection of data from content injection vulnerabilities such as cross-scripting attacks. It provides a policy mechanism that allows developers to detect the flaws present in their application an
3 min read
HTTP headers | Cross-Origin-Resource-Policy The Cross-Origin-Resource-Policy is an HTTP response-type header that allows the servers to protect against certain cross-origin or cross-site embedding of the returned source. It complements the Cross-Origin Read Blocking (A mechanism which is used to prevent some cross-origin reads), so it is espe
2 min read
Content Security Policy (CSP) Websites are the prime targets for cyberattacks, and one of the most prevalent vulnerabilities is Cross-Site Scripting (XSS). To combat such threats, website developers must implement strong security protocols, one of which is the Content Security Policy (CSP). CSP is a security feature that helps t
5 min read
HTTP headers | Content-Location The HTTP Content-Location header is an entity-header that gives another location for the data that is returned and also tells how to access the resource by indicating the direct URL. Its usage is often confused with another HTTP Header which is Location. The main difference between them is that Loca
1 min read
HTTP headers | X-Content-Type-Options The HTTP headers X-Content-Type-Options acts as a marker that indicates the MIME-types headers in the content types headers should not be changed to the server. This header was introduced in the Internet Explorer 8 of Microsoft. This header block the content sniffing (non-executable MIME type into e
1 min read
HTTP headers | Public-Key-Pins-Report-Only The HTTP Public-Key-Pins-Report-Only is a response header which sends report to the report-uri specified in the header if any pinning violation is done. But, unlike Public-Key-Pins it still allows browsers to connect to the server and don't print any error message on the screen if the pinning is vio
2 min read
HTTP headers | Referrer-Policy The Referrer Policy HTTP header sets the parameter for amount of information sent along with Referrer Header while making a request. Referrer policy is used to maintain the security and privacy of source account while fetching resources or performing navigation. This is done by modifying the algorit
3 min read
Content-Length - HTTP headers HTTP headers are used to transmit additional information in an HTTP request or response. One such important header is the Content-Length header, which is responsible for indicating the size of the entity-body, measured in bytes (octets). This information is used by the recipient to know the exact le
2 min read
HTTP headers | Content-Range The Content-Range HTTP header is a response header that indicates where a partial message belongs in a full body massage. This header is sent with a partial entity-body to specify where in the full entity-body the partial body should be applied. Syntax: Content-Range: <unit> <range-start
1 min read
Next.js Security Headers Next.js security headers help protect your application from common web vulnerabilities by enforcing security policies at the HTTP level. By configuring these headers, you enhance your app's security and ensure safer interactions for your users.In this article, we’ll learn about security headers, the
6 min read