Content-Security-Policy-Report-Only HTTP response header

Content-Security-Policy-Report-Only

The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI

Header usage statistics

Content-Security-Policy-Report-Only response header information and usage statistics.


Websites using header Content-Security-Policy-Report-Only	281,685
Percentage of websites that use Content-Security-Policy-Report-Only header	0.28%
Total discovered header values	10,001
Header uses directives	Yes
Header values are unique or random	No
Most popular in the country	Germany

Content-Security-Policy-Report-Only Directives (27 total)

base-uri
block-all-mixed-content
child-src
connect-src
default-src
font-src
form-action
frame-ancestors
frame-src
img-src
manifest-src
media-src
object-src
plugin-types
prefetch-src
report-to
report-uri
sandbox
script-src
script-src-attr
script-src-elem
style-src
style-src-attr
style-src-elem
trusted-types
upgrade-insecure-requests
worker-src

Directive	Share	Websites count	Unique Values
block-all-mixed-content	5.18%	14,602	11
upgrade-insecure-requests	1.42%	3,995	13
frame-ancestors	<0.1%	53	2
report-uri	<0.1%	39	2
media-src	<0.1%	38	2
child-src	<0.1%	29	2
worker-src	<0.1%	28	2
base-uri	<0.1%	27	2
object-src	<0.1%	20	2
sandbox	<0.1%	17	1
default-src	<0.1%	9	1
manifest-src	<0.1%	9	1
frame-src	<0.1%	8	1
plugin-types	<0.1%	8	1
prefetch-src	<0.1%	7	1
form-action	<0.1%	5	1
connect-src	<0.1%	4	1
font-src	<0.1%	3	1
script-src	<0.1%	3	1
script-src-attr	<0.1%	3	1
script-src-elem	<0.1%	3	1
style-src	<0.1%	3	1
style-src-attr	<0.1%	3	1
trusted-types	<0.1%	3	1
img-src	<0.1%	2	1
report-to	<0.1%	2	1
style-src-elem	<0.1%	2	1

Directive

Websites count

Unique Values

block-all-mixed-content

5.18%

14,602

upgrade-insecure-requests

1.42%

3,995

frame-ancestors

<0.1%

report-uri

<0.1%

media-src

<0.1%

child-src

<0.1%

worker-src

<0.1%

base-uri

<0.1%

object-src

<0.1%

sandbox

<0.1%

default-src

<0.1%

manifest-src

<0.1%

frame-src

<0.1%

plugin-types

<0.1%

prefetch-src

<0.1%

form-action

<0.1%

connect-src

<0.1%

font-src

<0.1%

script-src

<0.1%

script-src-attr

<0.1%

script-src-elem

<0.1%

style-src

<0.1%

style-src-attr

<0.1%

trusted-types

<0.1%

img-src

<0.1%

report-to

<0.1%

style-src-elem

<0.1%

Domain	Country	Rank
www.facebook.com	Ireland	2
www.youtube.com	United States of America	6
developers.google.com	United States of America	11
www.messenger.com	Ireland	12
m.facebook.com	Ireland	16
www.pinterest.com	United States of America	32

Domain

Country

Rank

Contacts

www.facebook.com

Ireland

www.youtube.com

United States of America

developers.google.com

United States of America

www.messenger.com

Ireland

m.facebook.com

Ireland

www.pinterest.com

United States of America

Header value	Value prevalence
default-src ;script-src 'unsafe-inline' 'unsafe-eval' ;style-src 'unsafe-inline' ;connect-src blob:;report-uri https://cdn.website-start.de/app/reporting/policyviolation/submit	47.34%
default-src ;script-src 'unsafe-inline' 'unsafe-eval' ;style-src 'unsafe-inline' ;connect-src blob:;report-uri https://cdn.initial-website.com/app/reporting/policyviolation/submit	7.30%
default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://www.blogger.com/cspreport	3.16%
default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report	3.10%
block-all-mixed-content; report-uri https://blog.hatena.ne.jp/api/csp_report	2.75%
default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; report-uri https://sp.report-uri.com/r/default/csp/reportOnly	1.56%
default-src ;script-src 'unsafe-inline' 'unsafe-eval' ;style-src 'unsafe-inline' ;connect-src blob:;report-uri https://cdn.eu.mywebsite-editor.com/app/reporting/policyviolation/submit	1.18%
font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.auth	1.08%
default-src https: data: 'unsafe-inline' 'unsafe-eval'	1.04%
report-uri https://sjc1.qualtrics.com/csp-report	0.88%
default-src https: blob:; connect-src https: wss:; img-src https: data:; font-src https: data:; style-src https: 'unsafe-inline'; script-src https: 'unsafe-inline' 'unsafe-eval' blob:; report-uri /csp-violation-endpoint/	0.78%
block-all-mixed-content; report-uri /csprep/log;	0.60%
default-src https: data: blob: wss: 'unsafe-inline' 'unsafe-eval'; report-uri /_csp	0.56%
script-src 'unsafe-eval' 'self' https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline' internal-soap.wikia.com internal-soap.fandom.com internal-soap.wikia.org internal-soap.gamepedia.com www.fandom.com www.wikia.com www.wikia.org www.gam	0.54%
default-src acsbap.com .acsbapp.com .google-analytics.com;frame-src 'self' .google.com .google-analytics.com .googletagmanager.com .onboardnavigator.com;img-src 'self' data: .bing.com .elmstreettechnology.com .facebook.com .google-analytics.com	0.50%
default-src https: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; report-uri https://tpj.report-uri.io/r/default/csp/reportOnly	0.40%
default-src 'self' data: blob: https://.fbsbx.com 'unsafe-inline' .facebook.com 'unsafe-eval' .fbcdn.net;script-src connect.facebook.net static.xx.fbcdn.net 'unsafe-inline' .facebook.com 'unsafe-eval' *.fbcdn.net data:;connect-src wss://gateway.facebo	0.40%
font-src 'self' 'unsafe-inline'; form-action secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcom	0.36%
script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org .wikimedia.org .wikipedia.org .wikinews.org .wiktionary.org .wikibooks.org .wikiversity.org .wikisource.org wikisource.org .wikiquote.org .wikidata.org .wikivoyage.org *.mediawiki.org 'uns	0.35%
frame-ancestors 'self' *.flipdish.com; report-uri /api/v1.0/csp/report	0.34%

Header value

Value prevalence

default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.website-start.de/app/reporting/policyviolation/submit

47.34%

default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.initial-website.com/app/reporting/policyviolation/submit

7.30%

default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://www.blogger.com/cspreport

3.16%

default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report

3.10%

block-all-mixed-content; report-uri https://blog.hatena.ne.jp/api/csp_report

2.75%

default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; report-uri https://sp.report-uri.com/r/default/csp/reportOnly

1.56%

default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.eu.mywebsite-editor.com/app/reporting/policyviolation/submit

1.18%

font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.auth

1.08%

default-src https: data: 'unsafe-inline' 'unsafe-eval'

1.04%

report-uri https://sjc1.qualtrics.com/csp-report

0.88%

default-src https: blob:; connect-src https: wss:; img-src https: data:; font-src https: data:; style-src https: 'unsafe-inline'; script-src https: 'unsafe-inline' 'unsafe-eval' blob:; report-uri /csp-violation-endpoint/

0.78%

block-all-mixed-content; report-uri /csprep/log;

0.60%

default-src https: data: blob: wss: 'unsafe-inline' 'unsafe-eval'; report-uri /_csp

0.56%

script-src 'unsafe-eval' 'self' https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline' internal-soap.wikia.com internal-soap.fandom.com internal-soap.wikia.org internal-soap.gamepedia.com www.fandom.com www.wikia.com www.wikia.org www.gam

0.54%

default-src acsbap.com *.acsbapp.com *.google-analytics.com;frame-src 'self' *.google.com *.google-analytics.com *.googletagmanager.com *.onboardnavigator.com;img-src 'self' data: *.bing.com *.elmstreettechnology.com *.facebook.com *.google-analytics.com

0.50%

default-src https: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; report-uri https://tpj.report-uri.io/r/default/csp/reportOnly

0.40%

default-src 'self' data: blob: https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src connect.facebook.net static.xx.fbcdn.net 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net data:;connect-src wss://gateway.facebo

0.40%

font-src 'self' 'unsafe-inline'; form-action secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcom

0.36%

script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'uns

0.35%

frame-ancestors 'self' *.flipdish.com; report-uri /api/v1.0/csp/report

0.34%

Top 10k sites	373 websites
Top 100k sites	1,572 websites
Top 1m sites	7,592 websites