Content Security Policy (CSP)
Quick Reference Guide


Content-Security-Policy-Report-Only Header

What is the Content-Security-Policy-Report-Only header?

Why use the Content-Security-Policy-Report-Only Header?

It is a great way to see the possible effect of implementing a Content-Security-Policy header without actually blocking anything. When you use Content-Security-Policy-Report-Only it only sends reports to the developer tools console and if you have specified a report-to or report-uri directive it can post a JSON representation of the a violation to a URI endpoint that you specify.

Content-Security-Policy-Report-Only Browser Support

CSP Level 1


Supported On:


Chrome 25+ (2013)
Firefox 23+ (2013)
Safari 7+ (2013)
Edge 12+ (2015)

The Content-Security-Policy-Report-Only header has been supported since the first version of CSP Level 1. This means that support has existed since 2013: Chrome 25+, Firefox 23+, Safari 7+ or IE Edge 12+.