HTTP response header

X-webkit-csp-report-only is a depreciated content policy header.

Header usage statistics

X-WebKit-CSP-Report-Only response header information and usage statistics.

Websites using header X-WebKit-CSP-Report-Only 1,209
Percentage of websites that use X-WebKit-CSP-Report-Only header <0.1%
Total discovered header values 255
Header uses directives No
Header values are unique or random No
Most popular in the country United States of America

Distribution by websites popularity

X-WebKit-CSP-Report-Only detection in the top websites by popularity

Top 10k sites 4 websites
Top 100k sites 14 websites
Top 1m sites 71 websites

Websites utilizing X-WebKit-CSP-Report-Only

List of websites that use X-WebKit-CSP-Report-Only header

Domain Country Rank Contacts
connect.mail.ru Russian Federation 3,769
my.mail.ru Russian Federation 4,957
www.qualcomm.com United States of America 6,612
aspe.hhs.gov United States of America 8,076
developers.redhat.com United States of America 14,128
www.bodybuilding.com United States of America 19,242
See full domain list
Flat price per the report, subscription is not required.

Geographical Distribution

Header usage distribution by websites across the globe.

Common header values

List of top common X-WebKit-CSP-Report-Only header values

Header value Value prevalence
frame-ancestors 'self'; report-uri /csp_logger 38.05%
default-src 'self' https: 'unsafe-inline' 'unsafe-eval'; report-uri content.php?action=150&module=core&handler=ContentSecurityPolicyHandler&mode=reportCspViolation; 18.11%
default-src 'self' 'unsafe-inline'; script-src-elem 'self' 'unsafe-inline'; script-src-attr 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; img-src * data: zixx: zixxs: cid: file: blob:; font-src * data:; connect-src 'self' www.googleapis.com apis 12.90%
default-src 'self' https://static.eole-web.fr http://static.eole-web.fr; script-src 'self' 'unsafe-eval' data: http://cdn.ckeditor.com https://cdn.ckeditor.com http://connect.facebook.net https://connect.facebook.net https://platform.twitter.com http://pl 2.23%
default-src 'self' https: 'unsafe-inline' 'unsafe-eval'; report-uri content.php?action=150&module=core&handler=ContentSecurityPolicyHandler&mode=reportCspViolation; report-to content.php?action=150&module=core&handler=ContentSecurityPolicyHandler&mode=rep 1.82%
default-src 'self'; report-uri /admin/config/system/seckit/csp-report 1.41%
default-src *; script-src *; object-src *; style-src *; img-src *; media-src *; frame-src *; font-src *; connect-src * 1.08%
default-src 'self'; report-uri /report-csp-violation 1.08%
default-src 'self' data: *; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' *; object-src 'self' data: *; style-src 'self' data: 'unsafe-inline' *; img-src 'self' data: *; media-src 'self' data: *; frame-src 'self'; font-src 'self' data: *; connect- 0.99%
default-src 'self' 'unsafe-inline' 'unsafe-eval' *; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; object-src 'self' 'unsafe-inline' 'unsafe-eval' *; style-src 'self' 'unsafe-inline' 'unsafe-eval' *; img-src 'self' 'unsafe-inline' 'unsafe-eval' *; med 0.91%
base-uri 'self'; default-src 'none'; child-src; connect-src 'self' https://rec.smartlook.com http://rec.smartlook.com rec.smartlook.com https://apikeys.civiccomputing.com http://apikeys.civiccomputing.com apikeys.civiccomputing.com https://ig.instant-toke 0.74%
report-uri /report-csp-violation 0.74%
default-src https: 'unsafe-inline' 'unsafe-eval' data: about: blob:; report-uri /_resources/php/csp-report.php 0.66%
default-src https: 'unsafe-inline' 'unsafe-eval'; img-src https://* data: ; frame-src https://* about: javascript: 0.66%
default-src https: 'unsafe-inline' 'unsafe-eval' data: about:; report-uri /_resources/php/csp-report.php 0.58%
report-uri /report-csp-violation; upgrade-insecure-requests 0.58%
default-src * 0.41%
base-uri 'self'; default-src 'self'; connect-src 'self' https://track.connect.bcg.com https://heapanalytics.com https://session-replay.browser-intake-datadoghq.com https://*.logs.datadoghq.com; font-src 'self' https://fonts.gstatic.com; frame-src 'self' h 0.41%
default-src 'self';img-src * data:;style-src 'self' 'unsafe-inline';font-src 'self';script-src 'self' 'unsafe-inline';connect-src 'self';frame-src 'self';child-src 'self';form-action 'self';block-all-mixed-content; report-uri https://bbcsp.report-uri.io/r 0.33%
default-src 'self' ; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com www.google-analytics.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: www.google-analytics.com secure.gravatar.com; font-src 'self' d 0.25%