Content-Security-Policy-Report-Only

HTTP response header

The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI

Header usage statistics

Content-Security-Policy-Report-Only response header information and usage statistics.

Websites using header Content-Security-Policy-Report-Only282,453
Percentage of websites that use Content-Security-Policy-Report-Only header0.33%
Total discovered header valuesMore than 10,000
Header uses directivesYes
Header values are unique or randomNo
Most popular in the country Germany

Content-Security-Policy-Report-Only directives (29 total)

  • base-uri
  • block-all-mixed-content
  • child-src
  • connect-src
  • default-src
  • font-src
  • form-action
  • frame-ancestors
  • frame-src
  • img-src
  • manifest-src
  • media-src
  • navigate-to
  • object-src
  • plugin-types
  • prefetch-src
  • report-to
  • report-uri
  • require-trusted-types-for
  • sandbox
  • script-src
  • script-src-attr
  • script-src-elem
  • style-src
  • style-src-attr
  • style-src-elem
  • trusted-types
  • upgrade-insecure-requests
  • worker-src

Content-Security-Policy-Report-Only Directives

Content-Security-Policy-Report-Only directives value information and usage statistics

DirectiveShareWebsites countUnique Values
upgrade-insecure-requests4.10%11,57111
block-all-mixed-content4.04%11,42112
frame-ancestors<0.1%832
report-uri<0.1%822
child-src<0.1%622
worker-src<0.1%622
media-src<0.1%501
object-src<0.1%342
base-uri<0.1%242
sandbox<0.1%202
connect-src<0.1%192
default-src<0.1%181
prefetch-src<0.1%162
form-action<0.1%151
font-src<0.1%141
frame-src<0.1%141
trusted-types<0.1%141
manifest-src<0.1%132
img-src<0.1%121
script-src<0.1%101
script-src-attr<0.1%101
style-src<0.1%91
style-src-attr<0.1%91
style-src-elem<0.1%91
script-src-elem<0.1%81
report-to<0.1%71
require-trusted-types-for<0.1%71
navigate-to<0.1%61
plugin-types<0.1%31

Connected technologies

Technologies that utilize the header

Amazon S3, category Content Delivery Networks, total 1,156,961 websites
Recurly, category Payment Processors, total 3,903 websites
Payplug, category Payment Processors, total 3,034 websites
Kameleoon, category Personalization, total 2,197 websites
Cardinal, category Payment Processors, total 960 websites
Medallia, category User Onboarding, total 694 websites
Zuora, category Payment, total 617 websites
Digital River, category Ecommerce, total 172 websites
RapidSec, category Security Solutions, total 120 websites

Content-Security-Policy-Report-Only header usage distribution by website popularity



Geographical Distribution

Header usage distribution by websites across the globe.






Websites utilizing Content-Security-Policy-Report-Only

List of websites that use Content-Security-Policy-Report-Only header

DomainCountryRankContacts
google.com United States3
www.google.com United States3
www.youtube.com United States6
www.instagram.com United States9
www.messenger.com United States12
maps.google.com United States24
See full domain list

Common header values

List of top common Content-Security-Policy-Report-Only header values

Header valueValue prevalence
default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.website-start.de/app/reporting/policyviolation/submit37.02%
default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.initial-website.com/app/reporting/policyviolation/submit5.55%
default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; report-to blogspot; report-uri https://www.blogger.com/cspreport3.81%
upgrade-insecure-requests; default-src 'self' https: data: wss: 'unsafe-inline' 'unsafe-eval';2.43%
default-src http: https: 'self'; connect-src 'self' http: https: javascript: wss: *.doubleclick.net *.facebook.com *.freshdesk.com ajax.googleapis.com *.google-analytics.com www.justuno.com *.loyaltylion.net www.shopboostapp.com *.smartsupp.com *.tawk.to 2.13%
default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report1.90%
block-all-mixed-content; report-uri https://blog.hatena.ne.jp/api/csp_report1.81%
frame-ancestors 'self'1.38%
frame-ancestors 'self' *.qualtrics.com *.my.salesforce.com *.visualforce.com *.visual.force.com *.lightning.force.com; report-uri https://sjc1.qualtrics.com/csp-report0.96%
default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.eu.mywebsite-editor.com/app/reporting/policyviolation/submit0.90%
require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/6b8ce7c01e3dacd3d2c7a8cd322ff979/mr0.58%
default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; report-uri https://sp.report-uri.com/r/default/csp/reportOnly0.57%
script-src 'unsafe-eval' blob: 'self' https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline' internal-soap.wikia.com internal-soap.fandom.com internal-soap.wikia.org internal-soap.gamepedia.com www.fandom.com www.wikia.com www.wikia.org w0.52%
default-src * 'unsafe-eval' 'unsafe-inline' 'unsafe-dynamic' data: filesystem: about: blob: ws: wss:0.49%
default-src * data: ; script-src * 'unsafe-inline' 'unsafe-eval' ; style-src * 'unsafe-inline' data: ; frame-ancestors 'none'; report-uri /csp-violation-report-endpoint/0.46%
default-src https: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; report-uri https://tpj.report-uri.io/r/default/csp/reportOnly0.45%
default-src acsbap.com *.acsbapp.com *.google-analytics.com *.voicepad.com analytics.crea.ca *.hireaiva.com aiva-live-chat.storage.googleapis.com;frame-src 'self' 'unsafe-inline' *.google.com *.google-analytics.com *.googletagmanager.com *.onboardnavigato0.41%
default-src https: data: blob: wss: 'unsafe-inline' 'unsafe-eval'; report-uri /_csp0.40%
script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikifunctions.org *.wikivoyage.org 0.36%
font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.auth0.32%