CSPViolationReportBody
Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.
The CSPViolationReportBody
interface contains the report data for a Content Security Policy (CSP) violation. CSP violations are thrown when the webpage attempts to load a resource that violates the CSP set by the Content-Security-Policy
HTTP header.
Note: this interface is similar, but not identical to, the JSON objects sent back to the report-uri
or report-to
policy directive of the Content-Security-Policy
header.
Instance properties
Also inherits properties from its parent interface, ReportBody
.
CSPViolationReportBody.blockedURL
Read only-
A string representing the URL of the resource that was blocked because it violates the CSP.
CSPViolationReportBody.columnNumber
Read only-
The column number in the script at which the violation occurred.
CSPViolationReportBody.disposition
Read only-
Indicates how the violated policy is configured to be treated by the user agent. This will be
"enforce"
or"report"
. CSPViolationReportBody.documentURL
Read only-
A string representing the URL of the document or worker in which the violation was found.
CSPViolationReportBody.effectiveDirective
Read only-
A string representing the directive whose enforcement uncovered the violation.
CSPViolationReportBody.lineNumber
Read only-
The line number in the script at which the violation occurred.
CSPViolationReportBody.originalPolicy
Read only-
A string containing the policy whose enforcement uncovered the violation.
CSPViolationReportBody.referrer
Read only-
A string representing the URL for the referrer of the resources whose policy was violated, or
null
. CSPViolationReportBody.sample
Read only-
A string representing a sample of the resource that caused the violation, usually the first 40 characters. This will only be populated if the resource is an inline script, event handler, or style — external resources causing a violation will not generate a sample.
CSPViolationReportBody.sourceFile
Read only-
If the violation occurred as a result of a script, this will be the URL of the script; otherwise, it will be
null
. BothcolumnNumber
andlineNumber
should have non-null values if this property is notnull
. CSPViolationReportBody.statusCode
Read only-
A number representing the HTTP status code of the document or worker in which the violation occurred.
Instance methods
Also inherits methods from its parent interface, ReportBody
.
CSPViolationReportBody.toJSON()
-
A serializer which returns a JSON representation of the
CSPViolationReportBody
object.
Examples
Obtaining a CSPViolationReportBody
object
To obtain a CSPViolationReportBody
object, you must configure your page so that a CSP violation will occur. In this example, we will set our CSP to only allow content from the site's own origin, and then attempt to load a script from apis.google.com
, which is an external origin.
First, we will set our Content-Security-Policy
header:
Content-Security-Policy: default-src 'self';
Then, we will attempt to load an external script:
<!-- This should generate a CSP violation -->
<script src="https://apis.google.com/js/platform.js"></script>
Finally, we will create a new ReportingObserver
object to listen for CSP violations.
const observer = new ReportingObserver(
(reports, observer) => {
const cspViolation = reports[0].body;
},
{
types: ["csp-violation"],
buffered: true,
},
);
observer.observe();
Specifications
Specification |
---|
Content Security Policy Level 3 # cspviolationreportbody |
Browser compatibility
BCD tables only load in the browser