Content-Security-Policy-Report-Only HTTP response header

Content-Security-Policy-Report-Only

The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI

Header usage statistics

Content-Security-Policy-Report-Only response header information and usage statistics.


Websites using header Content-Security-Policy-Report-Only	164,128
Percentage of websites that use Content-Security-Policy-Report-Only header	1.41%
Total discovered header values	4,346
Header uses directives	Yes
Header values are unique or random	No
Most popular in the country	Canada

Content-Security-Policy-Report-Only Directives (17 total)

base-uri
block-all-mixed-content
child-src
default-src
font-src
frame-ancestors
frame-src
img-src
manifest-src
media-src
object-src
plugin-types
prefetch-src
report-uri
sandbox
script-src-attr
upgrade-insecure-requests

Directive	Share	Websites count	Unique Values
block-all-mixed-content	25.97%	42,626	11
upgrade-insecure-requests	0.16%	255	13
base-uri	<0.1%	5	1
default-src	<0.1%	5	1
plugin-types	<0.1%	5	1
report-uri	<0.1%	5	1
object-src	<0.1%	4	1
frame-ancestors	<0.1%	3	1
media-src	<0.1%	3	1
font-src	<0.1%	2	1
frame-src	<0.1%	2	1
img-src	<0.1%	2	1
manifest-src	<0.1%	2	1
prefetch-src	<0.1%	2	1
sandbox	<0.1%	2	1
script-src-attr	<0.1%	2	1
child-src	<0.1%	1	1

Directive

Websites count

Unique Values

block-all-mixed-content

25.97%

42,626

upgrade-insecure-requests

0.16%

255

base-uri

<0.1%

default-src

<0.1%

plugin-types

<0.1%

report-uri

<0.1%

object-src

<0.1%

frame-ancestors

<0.1%

media-src

<0.1%

font-src

<0.1%

frame-src

<0.1%

img-src

<0.1%

manifest-src

<0.1%

prefetch-src

<0.1%

sandbox

<0.1%

script-src-attr

<0.1%

child-src

<0.1%

Domain	Country	Rank
www.pinterest.com	United States of America	13
play.google.com	United States of America	19
support.google.com	United States of America	20
vimeo.com	United States of America	26
www.telegraph.co.uk	United States of America	64
www.yelp.com	United States of America	73

Domain

Country

Rank

Contacts

www.pinterest.com

United States of America

play.google.com

United States of America

support.google.com

United States of America

vimeo.com

United States of America

www.telegraph.co.uk

United States of America

www.yelp.com

United States of America

Header value	Value prevalence
worker-src 'none'; report-uri /csp-report	50.87%
block-all-mixed-content; report-uri https://blog.hatena.ne.jp/api/csp_report	31.51%
script-src 'unsafe-eval' 'self' https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline' internal-soap.wikia.com internal-soap.fandom.com internal-soap.wikia.org internal-soap.gamepedia.com www.fandom.com www.wikia.com www.wikia.org www.gam	2.31%
default-src ;script-src 'unsafe-inline' 'unsafe-eval' ;style-src 'unsafe-inline' ;connect-src blob:;report-uri https://cdn.website-start.de/app/reporting/policyviolation/submit	2.29%
default-src https: 'self' data: blob:; script-src https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob:; style-src https: 'self' 'unsafe-inline' blob:; report-uri https://services.wikia.com/csp-logger/csp/app	1.31%
default-src ;script-src 'unsafe-inline' 'unsafe-eval' ;style-src 'unsafe-inline' ;connect-src blob:;report-uri https://cdn.initial-website.com/app/reporting/policyviolation/submit	0.67%
default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://www.blogger.com/cspreport	0.63%
block-all-mixed-content; report-uri /csprep/log	0.55%
script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org .wikimedia.org .wikipedia.org .wikinews.org .wiktionary.org .wikibooks.org .wikiversity.org .wikisource.org wikisource.org .wikiquote.org .wikidata.org .wikivoyage.org *.mediawiki.org 'uns	0.55%
frame-ancestors 'self' *.qualtrics.com; report-uri https://sjc1.qualtrics.com/csp-report	0.50%
default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report	0.49%
font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.auth	0.43%
default-src https: blob: 'unsafe-inline' 'unsafe-eval'; img-src https: data:; font-src 'self' data: https: 'unsafe-inline'; connect-src https: wss: 'unsafe-inline'; report-uri https://hi.report-uri.io/r/default/csp/reportOnly	0.34%
default-src https: 'self' data: blob:; script-src https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob:; style-src https: 'self' 'unsafe-inline' blob:; report-uri https://services.fandom.com/csp-logger/csp/app	0.28%
default-src data: https: 'unsafe-inline' 'unsafe-eval'; report-uri https://a3frkpbrnzxvdwnkpssx604n.httpschecker.net/report; report-to https://a3frkpbrnzxvdwnkpssx604n.httpschecker.net/report	0.25%
font-src 'self' 'unsafe-inline'; form-action secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcom	0.19%
default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; report-uri https://sp.report-uri.com/r/default/csp/reportOnly	0.19%
default-src https: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; report-uri https://logger.kataweb.it/csp/	0.19%
default-src https: data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: ; manifest-src 'self' https://cdn.evbstatic.com ; style-src https: 'unsafe-inline' ; connect-src https: about: ; object-src https: ; media-src https: ; frame-src https: fbrp	0.18%
frame-ancestors 'self' .hudl.com .youtube.com .sendtonews.com .cbssports.com .247sports.com .scout.com .ampproject.org .amp.cloudflare.com; default-src https: 'unsafe-inline' 'unsafe-eval' wss: ;img-src https: data: blob: ; font-src https: data:;	0.12%

Header value

Value prevalence

worker-src 'none'; report-uri /csp-report

50.87%

block-all-mixed-content; report-uri https://blog.hatena.ne.jp/api/csp_report

31.51%

script-src 'unsafe-eval' 'self' https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline' internal-soap.wikia.com internal-soap.fandom.com internal-soap.wikia.org internal-soap.gamepedia.com www.fandom.com www.wikia.com www.wikia.org www.gam

2.31%

default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.website-start.de/app/reporting/policyviolation/submit

2.29%

default-src https: 'self' data: blob:; script-src https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob:; style-src https: 'self' 'unsafe-inline' blob:; report-uri https://services.wikia.com/csp-logger/csp/app

1.31%

default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.initial-website.com/app/reporting/policyviolation/submit

0.67%

default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://www.blogger.com/cspreport

0.63%

block-all-mixed-content; report-uri /csprep/log

0.55%

script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'uns

0.55%

frame-ancestors 'self' *.qualtrics.com; report-uri https://sjc1.qualtrics.com/csp-report

0.50%

default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report

0.49%

font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.auth

0.43%

default-src https: blob: 'unsafe-inline' 'unsafe-eval'; img-src https: data:; font-src 'self' data: https: 'unsafe-inline'; connect-src https: wss: 'unsafe-inline'; report-uri https://hi.report-uri.io/r/default/csp/reportOnly

0.34%

0.28%

default-src data: https: 'unsafe-inline' 'unsafe-eval'; report-uri https://a3frkpbrnzxvdwnkpssx604n.httpschecker.net/report; report-to https://a3frkpbrnzxvdwnkpssx604n.httpschecker.net/report

0.25%

font-src 'self' 'unsafe-inline'; form-action secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcom

0.19%

default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; report-uri https://sp.report-uri.com/r/default/csp/reportOnly

0.19%

default-src https: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; report-uri https://logger.kataweb.it/csp/

0.19%

default-src https: data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: ; manifest-src 'self' https://cdn.evbstatic.com ; style-src https: 'unsafe-inline' ; connect-src https: about: ; object-src https: ; media-src https: ; frame-src https: fbrp

0.18%

frame-ancestors 'self' *.hudl.com *.youtube.com *.sendtonews.com *.cbssports.com *.247sports.com *.scout.com *.ampproject.org *.amp.cloudflare.com; default-src https: 'unsafe-inline' 'unsafe-eval' wss: ;img-src https: data: blob: ; font-src https: data:;

0.12%

Top 10k sites	290 websites
Top 100k sites	2,107 websites
Top 1m sites	8,756 websites