What is a CSP violation report?

When a Content Security Policy blocks a resource or inline script, the browser can POST a JSON report describing the violation to a configured endpoint. It records which directive was violated, the blocked URI, and where in the page the offending content lived, so developers can audit and tighten their policy.

How do report-uri and report-to differ?

report-uri is the legacy directive that POSTs a body wrapped in a csp-report object with hyphenated keys to a single URL. report-to uses the modern Reporting API: it names an endpoint group from the Report-To/Reporting-Endpoints header and sends a report with a camelCase body field. Send both during migration.

What is the difference between blocked-uri and source-file?

blocked-uri is the resource that was blocked (e.g. the script or image URL, or a token like inline or eval). source-file is the document URL where the violating directive was encountered, paired with line-number and column-number to locate the offending markup.

Why might reports be missing or truncated?

Browsers strip or coarsen sensitive fields cross-origin, may sample reports, and truncate blocked-uri to the origin for privacy. Report-only mode (Content-Security-Policy-Report-Only) sends reports without blocking, which is the safest way to trial a policy.

Does this tool collect any reports?

No. It is a static field reference searched in your browser. No reports are received, stored or transmitted.

CSP Violation Report Fields

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

CSP violation report fields

When a Content Security Policy blocks something, the browser can send a JSON violation report to an endpoint. Two formats exist: the legacy report-uri (csp-report) body and the modern Reporting API (report-to). This reference lists every field in both, with meaning and source, plus a live filter.

How it works

A page declares where to send reports, then the browser POSTs JSON on a violation. The legacy format wraps fields in a csp-report object:

{
  "csp-report": {
    "document-uri": "https://app.example/page",
    "violated-directive": "script-src 'self'",
    "effective-directive": "script-src-elem",
    "blocked-uri": "https://evil.example/x.js",
    "disposition": "enforce",
    "status-code": 200
  }
}

The Reporting API sends a report with type: "csp-violation" and a body object whose keys are camelCase (documentURL, blockedURL, effectiveDirective). The fields carry the same meaning across both formats.

Tips and notes

Trial new policies with Content-Security-Policy-Report-Only first.
Send both report-uri and report-to while clients migrate.
blocked-uri may be coarsened to an origin or a token like inline/eval.
disposition distinguishes an enforce block from a report (report-only).