Content-Security-Policy-Report-Only

HTTP response header

The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI

Header usage statistics

Content-Security-Policy-Report-Only response header information and usage statistics.

Websites using header Content-Security-Policy-Report-Only 281,685
Percentage of websites that use Content-Security-Policy-Report-Only header 0.28%
Total discovered header values 10,001
Header uses directives Yes
Header values are unique or random No
Most popular in the country Germany

Content-Security-Policy-Report-Only Directives (27 total)

  • base-uri
  • block-all-mixed-content
  • child-src
  • connect-src
  • default-src
  • font-src
  • form-action
  • frame-ancestors
  • frame-src
  • img-src
  • manifest-src
  • media-src
  • object-src
  • plugin-types
  • prefetch-src
  • report-to
  • report-uri
  • sandbox
  • script-src
  • script-src-attr
  • script-src-elem
  • style-src
  • style-src-attr
  • style-src-elem
  • trusted-types
  • upgrade-insecure-requests
  • worker-src

Content-Security-Policy-Report-Only Directives

Content-Security-Policy-Report-Only directives value information and usage statistics

Directive Share Websites count Unique Values
block-all-mixed-content 5.18% 14,602 11
upgrade-insecure-requests 1.42% 3,995 13
frame-ancestors <0.1% 53 2
report-uri <0.1% 39 2
media-src <0.1% 38 2
child-src <0.1% 29 2
worker-src <0.1% 28 2
base-uri <0.1% 27 2
object-src <0.1% 20 2
sandbox <0.1% 17 1
default-src <0.1% 9 1
manifest-src <0.1% 9 1
frame-src <0.1% 8 1
plugin-types <0.1% 8 1
prefetch-src <0.1% 7 1
form-action <0.1% 5 1
connect-src <0.1% 4 1
font-src <0.1% 3 1
script-src <0.1% 3 1
script-src-attr <0.1% 3 1
script-src-elem <0.1% 3 1
style-src <0.1% 3 1
style-src-attr <0.1% 3 1
trusted-types <0.1% 3 1
img-src <0.1% 2 1
report-to <0.1% 2 1
style-src-elem <0.1% 2 1

Connected technologies

Technologies that utilize the header

Medallia, category User Onboarding, total 237 websites

Distribution by websites popularity

Content-Security-Policy-Report-Only detection in the top websites by popularity

Top 10k sites 373 websites
Top 100k sites 1,572 websites
Top 1m sites 7,592 websites

Websites utilizing Content-Security-Policy-Report-Only

List of websites that use Content-Security-Policy-Report-Only header

Domain Country Rank Contacts
www.facebook.com Ireland 2
www.youtube.com United States of America 6
developers.google.com United States of America 11
www.messenger.com Ireland 12
m.facebook.com Ireland 16
www.pinterest.com United States of America 32
See full domain list
Flat price per the report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.






Common header values

List of top common Content-Security-Policy-Report-Only header values

Header value Value prevalence
default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.website-start.de/app/reporting/policyviolation/submit 47.34%
default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.initial-website.com/app/reporting/policyviolation/submit 7.30%
default-src https: blob: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://www.blogger.com/cspreport 3.16%
default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report 3.10%
block-all-mixed-content; report-uri https://blog.hatena.ne.jp/api/csp_report 2.75%
default-src https: wss: 'unsafe-inline' 'unsafe-eval' data:; report-uri https://sp.report-uri.com/r/default/csp/reportOnly 1.56%
default-src *;script-src 'unsafe-inline' 'unsafe-eval' *;style-src 'unsafe-inline' *;connect-src * blob:;report-uri https://cdn.eu.mywebsite-editor.com/app/reporting/policyviolation/submit 1.18%
font-src 'self' 'unsafe-inline'; form-action geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcommerce.com secure.authorize.net test.auth 1.08%
default-src https: data: 'unsafe-inline' 'unsafe-eval' 1.04%
report-uri https://sjc1.qualtrics.com/csp-report 0.88%
default-src https: blob:; connect-src https: wss:; img-src https: data:; font-src https: data:; style-src https: 'unsafe-inline'; script-src https: 'unsafe-inline' 'unsafe-eval' blob:; report-uri /csp-violation-endpoint/ 0.78%
block-all-mixed-content; report-uri /csprep/log; 0.60%
default-src https: data: blob: wss: 'unsafe-inline' 'unsafe-eval'; report-uri /_csp 0.56%
script-src 'unsafe-eval' 'self' https: 'self' data: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline' internal-soap.wikia.com internal-soap.fandom.com internal-soap.wikia.org internal-soap.gamepedia.com www.fandom.com www.wikia.com www.wikia.org www.gam 0.54%
default-src acsbap.com *.acsbapp.com *.google-analytics.com;frame-src 'self' *.google.com *.google-analytics.com *.googletagmanager.com *.onboardnavigator.com;img-src 'self' data: *.bing.com *.elmstreettechnology.com *.facebook.com *.google-analytics.com 0.50%
default-src https: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; report-uri https://tpj.report-uri.io/r/default/csp/reportOnly 0.40%
default-src 'self' data: blob: https://*.fbsbx.com 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net;script-src connect.facebook.net static.xx.fbcdn.net 'unsafe-inline' *.facebook.com 'unsafe-eval' *.fbcdn.net data:;connect-src wss://gateway.facebo 0.40%
font-src 'self' 'unsafe-inline'; form-action secure.authorize.net test.authorize.net geostag.cardinalcommerce.com geo.cardinalcommerce.com 1eafstag.cardinalcommerce.com 1eaf.cardinalcommerce.com centinelapistag.cardinalcommerce.com centinelapi.cardinalcom 0.36%
script-src 'unsafe-eval' blob: 'self' meta.wikimedia.org *.wikimedia.org *.wikipedia.org *.wikinews.org *.wiktionary.org *.wikibooks.org *.wikiversity.org *.wikisource.org wikisource.org *.wikiquote.org *.wikidata.org *.wikivoyage.org *.mediawiki.org 'uns 0.35%
frame-ancestors 'self' *.flipdish.com; report-uri /api/v1.0/csp/report 0.34%