CSP: report-to
The Content-Security-Policy report-to directive indicates the name of the endpoint that the browser should use for reporting CSP violations.
If a CSP violation occurs, a report is generated that contains a serialized CSPViolationReportBody object instance.
This report is sent to the URL that corresponds to the endpoint name, using the generic mechanisms defined in the Reporting API.
The server must separately provide the mapping between endpoint names and their corresponding URLs in the Reporting-Endpoints HTTP response header.
| CSP version | 1 |
|---|---|
| Directive type | Reporting directive |
This directive is not supported in the <meta> element. |
|
Syntax
Content-Security-Policy: …; report-to <endpoint_name>
<endpoint_name> is the name of an endpoint provided by the Reporting-Endpoints HTTP response header.
It can also be the name of a group that is provided by the server in the Report-To
Deprecated
HTTP response header.
Violation report syntax
A CSP violation report is a JSON-serialized Report object instance, with a type property that has a value of "csp-violation", and a body that is the serialized form of a CSPViolationReportBody object (see the respective objects for their property definitions).
Reports are sent to the target endpoint(s) via a POST operation with a Content-Type of application/reports+json.
The JSON for a single report might look like this:
{
"age": 53531,
"body": {
"blockedURL": "inline",
"columnNumber": 39,
"disposition": "enforce",
"documentURL": "https://example.com/csp-report",
"effectiveDirective": "script-src-elem",
"lineNumber": 121,
"originalPolicy": "default-src 'self'; report-to csp-endpoint-name",
"referrer": "https://www.google.com/",
"sample": "console.log(\"lo\")",
"sourceFile": "https://example.com/csp-report",
"statusCode": 200
},
"type": "csp-violation",
"url": "https://example.com/csp-report",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
}
Usage notes
The report-to directive is intended to replace report-uri, and browsers that support report-to ignore the report-uri directive.
However, until report-to is broadly supported you can specify both headers as shown:
Content-Security-Policy: …; report-uri https://endpoint.example.com; report-to endpoint_name
Note that other examples in this topic do not show report-uri.
Examples
Setting a CSP violation report endpoint
A server can define the mapping between endpoint names and URLs using the Reporting-Endpoints header in the HTTP response.
Any name can be used: here we've chosen name-of-endpoint.
Reporting-Endpoints: name-of-endpoint="https://example.com/csp-reports"
The server can set this endpoint name as the target for sending CSP violation reports to using the report-to directive:
Content-Security-Policy: default-src 'self'; report-to name-of-endpoint
Specifications
| Specification |
|---|
| Content Security Policy Level 3 # directive-report-to |
Browser compatibility
BCD tables only load in the browser