Content-Security-Policy-Report-Only

HTTP response header

The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI

Header usage statistics

Content-Security-Policy-Report-Only response header information and usage statistics.

Websites using header Content-Security-Policy-Report-Only314,515
Percentage of websites that use Content-Security-Policy-Report-Only header0.32%
Total discovered header valuesMore than 10,000
Header uses directivesYes
Header values are unique or randomNo
Most popular in the country DE

Content-Security-Policy-Report-Only directives (29 total)

  • base-uri
  • block-all-mixed-content
  • child-src
  • connect-src
  • default-src
  • font-src
  • form-action
  • frame-ancestors
  • frame-src
  • img-src
  • manifest-src
  • media-src
  • navigate-to
  • object-src
  • plugin-types
  • prefetch-src
  • report-to
  • report-uri
  • require-trusted-types-for
  • sandbox
  • script-src
  • script-src-attr
  • script-src-elem
  • style-src
  • style-src-attr
  • style-src-elem
  • trusted-types
  • upgrade-insecure-requests
  • worker-src

Content-Security-Policy-Report-Only Directives

Content-Security-Policy-Report-Only directives value information and usage statistics

DirectiveShareWebsites countUnique Values
block-all-mixed-content6.80%21,3929
upgrade-insecure-requests1.25%3,92810
frame-ancestors<0.1%871
worker-src<0.1%442
child-src<0.1%381
report-uri<0.1%362
media-src<0.1%341
frame-src<0.1%271
object-src<0.1%261
base-uri<0.1%212
sandbox<0.1%201
default-src<0.1%161
img-src<0.1%141
font-src<0.1%121
manifest-src<0.1%121
connect-src<0.1%111
prefetch-src<0.1%112
script-src<0.1%111
style-src<0.1%111
plugin-types<0.1%101
trusted-types<0.1%91
style-src-elem<0.1%71
form-action<0.1%61
report-to<0.1%61
require-trusted-types-for<0.1%61
script-src-attr<0.1%61
script-src-elem<0.1%61
style-src-attr<0.1%61
navigate-to<0.1%51

Connected technologies

Technologies that utilize the header

Medallia, category User Onboarding, total 355 websites
RapidSec, category Security Solutions, total 254 websites

Distribution by websites popularity

Content-Security-Policy-Report-Only detection in the top websites by popularity

Top 10k sites436 websites
Top 100k sites1,982 websites
Top 1m sites9,184 websites

Websites utilizing Content-Security-Policy-Report-Only

List of websites that use Content-Security-Policy-Report-Only header

See full domain list
Flat price per the report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.






Common header values

List of top common Content-Security-Policy-Report-Only header values

Header valueValue prevalence
default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.website-start.de/app/reporting/policyviolation/submit40.02%
default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.initial-website.com/app/reporting/policyviolation/submit6.14%
default-src 'self'; img-src * data:; media-src *; font-src * https://*.aptrinsic.com data:; style-src 'self' 'unsafe-inline' 'unsafe-eval' sf.wildapricot.org caas-sf.wildapricot.org https://fonts.gstatic.com https://fonts.googleapis.com https://*.aptrinsi3.79%
script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.gstatic.com https://www.google-analytics.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://www.googletagman3.42%
block-all-mixed-content; report-uri /csprep/log;3.03%
default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://www.blogger.com/cspreport2.61%
default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report2.53%
block-all-mixed-content; report-uri https://blog.hatena.ne.jp/api/csp_report2.14%
default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; report-uri https://sp.report-uri.com/r/default/csp/reportOnly1.31%
default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.eu.mywebsite-editor.com/app/reporting/policyviolation/submit1.00%
default-src * 'unsafe-inline' 'unsafe-eval' data: blob:; connect-src 'self' *.shopifycloud.com *.shopifysvc.com *.amazon.com *.paypal.com *.facebook.com sessions.bugsnag.com analytics.tiktok.com bat.bing.com www.google-analytics.com ct.pinterest.com stats0.89%
report-uri https://sjc1.qualtrics.com/csp-report0.86%
default-src https: data: blob: ; object-src https: data: 'unsafe-inline'; style-src https: data: 'unsafe-inline' ; script-src https: data: 'unsafe-inline' 'unsafe-eval'0.85%
default-src https: blob:; connect-src https: wss:; img-src https: data:; font-src https: data:; style-src https: 'unsafe-inline'; script-src https: 'unsafe-inline' 'unsafe-eval' blob:; report-uri /csp-violation-endpoint/0.68%
font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.auth0.64%
base-uri 'self';script-src https://*.cnzz.com http://alimei-sub.alibaba.com https://*.tbcdn.cn https://*.alicdn.com https://g.alicdn.com http://*.alicdn.com http://*.tbcdn.cn https://*.alibaba-inc.com http://*.mxhichina.com https://*.tdum.alibaba.com http0.52%
script-src 'unsafe-eval' blob: 'self' https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline' internal-soap.wikia.com internal-soap.fandom.com internal-soap.wikia.org internal-soap.gamepedia.com www.fandom.com www.wikia.com www.wikia.org w0.46%
default-src https: data: blob: wss: 'unsafe-inline' 'unsafe-eval'; report-uri /_csp0.45%
default-src https: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; report-uri https://tpj.report-uri.io/r/default/csp/reportOnly0.38%
default-src data: blob: 'self' https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.google.com 127.0.0.1:* 'unsafe-inline' 'unsafe-eval' blob: data: 'sel0.35%