Content-Security-Policy-Report-Only HTTP response header

Content-Security-Policy-Report-Only

The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI

Header usage statistics

Content-Security-Policy-Report-Only response header information and usage statistics.


Websites using header Content-Security-Policy-Report-Only	297,628
Percentage of websites that use Content-Security-Policy-Report-Only header	0.48%
Total discovered header values	More than 10,000
Header uses directives	Yes
Header values are unique or random	No
Most popular in the country	United States

Content-Security-Policy-Report-Only directives (29 total)

base-uri
block-all-mixed-content
child-src
connect-src
default-src
font-src
form-action
frame-ancestors
frame-src
img-src
manifest-src
media-src
navigate-to
object-src
plugin-types
prefetch-src
report-to
report-uri
require-trusted-types-for
sandbox
script-src
script-src-attr
script-src-elem
style-src
style-src-attr
style-src-elem
trusted-types
upgrade-insecure-requests
worker-src

Directive	Share	Websites count	Unique Values
upgrade-insecure-requests	3.80%	11,306	18
block-all-mixed-content	3.46%	10,302	9
report-uri	<0.1%	75	2
worker-src	<0.1%	72	1
child-src	<0.1%	59	2
frame-ancestors	<0.1%	57	2
base-uri	<0.1%	49	2
media-src	<0.1%	41	1
object-src	<0.1%	26	1
report-to	<0.1%	19	2
sandbox	<0.1%	15	2
connect-src	<0.1%	14	1
default-src	<0.1%	14	1
form-action	<0.1%	12	1
frame-src	<0.1%	12	1
manifest-src	<0.1%	9	1
prefetch-src	<0.1%	9	1
trusted-types	<0.1%	9	1
font-src	<0.1%	8	1
img-src	<0.1%	7	1
script-src	<0.1%	7	1
script-src-attr	<0.1%	7	1
style-src	<0.1%	7	1
script-src-elem	<0.1%	6	1
style-src-attr	<0.1%	6	1
style-src-elem	<0.1%	6	1
require-trusted-types-for	<0.1%	5	1
navigate-to	<0.1%	4	1
plugin-types	<0.1%	4	1

Directive

Websites count

Unique Values

upgrade-insecure-requests

3.80%

11,306

block-all-mixed-content

3.46%

10,302

report-uri

<0.1%

worker-src

<0.1%

child-src

<0.1%

frame-ancestors

<0.1%

base-uri

<0.1%

media-src

<0.1%

object-src

<0.1%

report-to

<0.1%

sandbox

<0.1%

connect-src

<0.1%

default-src

<0.1%

form-action

<0.1%

frame-src

<0.1%

manifest-src

<0.1%

prefetch-src

<0.1%

trusted-types

<0.1%

font-src

<0.1%

img-src

<0.1%

script-src

<0.1%

script-src-attr

<0.1%

style-src

<0.1%

script-src-elem

<0.1%

style-src-attr

<0.1%

style-src-elem

<0.1%

require-trusted-types-for

<0.1%

navigate-to

<0.1%

plugin-types

<0.1%

Domain	Country	Rank
google.com	United States	3
googletagmanager.com	United States	8
maps.google.com	United States	24
accounts.google.com	United States	28
google-analytics.com	United States	38
support.google.com	United States	43

Domain

Country

Rank

Contacts

United States

United States

United States

United States

United States

United States

Header value	Value prevalence
default-src ;script-src 'unsafe-inline' 'unsafe-eval' ;style-src 'unsafe-inline' ;connect-src blob:;report-uri https://cdn.website-start.de/app/reporting/policyviolation/submit	30.80%
default-src ;script-src 'unsafe-inline' 'unsafe-eval' ;style-src 'unsafe-inline' ;connect-src blob:;report-uri https://cdn.initial-website.com/app/reporting/policyviolation/submit	4.64%
default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; report-to blogspot; report-uri https://www.blogger.com/cspreport	3.37%
upgrade-insecure-requests; default-src 'self' https: data: wss: 'unsafe-inline' 'unsafe-eval';	2.09%
default-src http: https: 'self'; connect-src 'self' http: https: javascript: wss: .doubleclick.net .facebook.com .freshdesk.com ajax.googleapis.com .google-analytics.com www.justuno.com .loyaltylion.net www.shopboostapp.com .smartsupp.com *.tawk.to	2.00%
block-all-mixed-content; report-uri https://blog.hatena.ne.jp/api/csp_report	1.54%
frame-ancestors 'self'	1.51%
default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report	1.32%
frame-ancestors 'self' .qualtrics.com .my.salesforce.com .visualforce.com .visual.force.com *.lightning.force.com; report-uri https://sjc1.qualtrics.com/csp-report	0.91%
default-src ;script-src 'unsafe-inline' 'unsafe-eval' ;style-src 'unsafe-inline' ;connect-src blob:;report-uri https://cdn.eu.mywebsite-editor.com/app/reporting/policyviolation/submit	0.75%
require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/6b8ce7c01e3dacd3d2c7a8cd322ff979/mr	0.57%
default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; report-uri https://sp.report-uri.com/r/default/csp/reportOnly	0.55%
script-src 'unsafe-eval' blob: 'self' https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline' internal-soap.wikia.com internal-soap.fandom.com internal-soap.wikia.org internal-soap.gamepedia.com www.fandom.com www.wikia.com www.wikia.org w	0.50%
report-uri /csp-violation-report-endpoint	0.48%
default-src * 'unsafe-eval' 'unsafe-inline' 'unsafe-dynamic' data: filesystem: about: blob: ws: wss:	0.44%
default-src * data: ; script-src * 'unsafe-inline' 'unsafe-eval' ; style-src * 'unsafe-inline' data: ; frame-ancestors 'none'; report-uri /csp-violation-report-endpoint/	0.44%
default-src 'self' 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' data: blob: ; form-action 'none' ; frame-ancestors 'self' ; script-src 'unsafe-eval' 'unsafe-hashes' 'report-sample'; report-uri /csp_report	0.42%
script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org .wikimedia.org .wikipedia.org .wikinews.org .wiktionary.org .wikibooks.org .wikiversity.org .wikisource.org wikisource.org .wikiquote.org .wikidata.org .wikifunctions.org *.wikivoyage.org	0.35%
default-src https: data: blob: wss: 'unsafe-inline' 'unsafe-eval'; report-uri /_csp	0.33%
default-src acsbap.com .acsbapp.com .google-analytics.com .voicepad.com analytics.crea.ca .hireaiva.com aiva-live-chat.storage.googleapis.com;frame-src 'self' 'unsafe-inline' .google.com .google-analytics.com .googletagmanager.com .onboardnavigato	0.32%

Header value

Value prevalence

default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.website-start.de/app/reporting/policyviolation/submit

30.80%

default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.initial-website.com/app/reporting/policyviolation/submit

4.64%

default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; report-to blogspot; report-uri https://www.blogger.com/cspreport

3.37%

upgrade-insecure-requests; default-src 'self' https: data: wss: 'unsafe-inline' 'unsafe-eval';

2.09%

default-src http: https: 'self'; connect-src 'self' http: https: javascript: wss: *.doubleclick.net *.facebook.com *.freshdesk.com ajax.googleapis.com *.google-analytics.com www.justuno.com *.loyaltylion.net www.shopboostapp.com *.smartsupp.com *.tawk.to

2.00%

block-all-mixed-content; report-uri https://blog.hatena.ne.jp/api/csp_report

1.54%

frame-ancestors 'self'

1.51%

default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report

1.32%

frame-ancestors 'self' *.qualtrics.com *.my.salesforce.com *.visualforce.com *.visual.force.com *.lightning.force.com; report-uri https://sjc1.qualtrics.com/csp-report

0.91%

default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.eu.mywebsite-editor.com/app/reporting/policyviolation/submit

0.75%

require-trusted-types-for 'script';report-uri https://csp.withgoogle.com/csp/6b8ce7c01e3dacd3d2c7a8cd322ff979/mr

0.57%

default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; report-uri https://sp.report-uri.com/r/default/csp/reportOnly

0.55%

script-src 'unsafe-eval' blob: 'self' https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline' internal-soap.wikia.com internal-soap.fandom.com internal-soap.wikia.org internal-soap.gamepedia.com www.fandom.com www.wikia.com www.wikia.org w

0.50%

report-uri /csp-violation-report-endpoint

0.48%

default-src * 'unsafe-eval' 'unsafe-inline' 'unsafe-dynamic' data: filesystem: about: blob: ws: wss:

0.44%

default-src * data: ; script-src * 'unsafe-inline' 'unsafe-eval' ; style-src * 'unsafe-inline' data: ; frame-ancestors 'none'; report-uri /csp-violation-report-endpoint/

0.44%

default-src 'self' 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' data: blob: ; form-action 'none' ; frame-ancestors 'self' ; script-src 'unsafe-eval' 'unsafe-hashes' 'report-sample'; report-uri /csp_report

0.42%

script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikifunctions.org *.wikivoyage.org

0.35%

default-src https: data: blob: wss: 'unsafe-inline' 'unsafe-eval'; report-uri /_csp

0.33%

default-src acsbap.com *.acsbapp.com *.google-analytics.com *.voicepad.com analytics.crea.ca *.hireaiva.com aiva-live-chat.storage.googleapis.com;frame-src 'self' 'unsafe-inline' *.google.com *.google-analytics.com *.googletagmanager.com *.onboardnavigato

0.32%