Content-Security-Policy-Report-Only HTTP Header

Common values for this header

• default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report
• default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.googletagmanager.com/ https://www.google-analytics.com/ https://www.googleadservices.com/ https://*.newrelic.com/ https://*.nr-data.net/ https://tags.tiqcdn.com/; connect-src 'self'; img-src 'self' data: https://*.rackcdn.com/ https://rackspace.112.2o7.net/ https://www.google.com/ https://www.google-analytics.com/ https://googleads.g.doubleclick.net/; style-src 'self' 'unsafe-inline' https://*.rackcdn.com/; font-src 'self' https://*.rackcdn.com/; child-src 'self' https://*.doubleclick.net/ https://*.qualtrics.com/
• default-src 'self'; img-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
• style-src 'self' 'unsafe-inline' *.alibaba.com *.alisoft.com *.aliyun.com *.alipay.com *.aliexpress.com *.taobao.com *.taobao.net https://assets.alicdn.com https://login.alibaba.com *.alicdn.com *.tbcdn.com *.tbcdn.cn *.aliimg.com *.aliunicorn.com *.1688.com https://*.1688.com *.taobaocdn.com *.taobaocdn.cn *.mmstat.com *.alimama.com *.alimama.cn *.amap.com *.meitipu.com yui.yahooapis.com *.amap.com http://localhost.wwbizsrv.alibaba.com:4012 http://localhost.wwbizsrv.alibaba.com:4812 https://localhost.wwbizsrv.alibaba.com:4013 https://localhost.wwbizsrv.alibaba.com:4813 *.cnzz.com *.cnzz.net www.google.com apis.google.com translate.googleapis.com translate.google.com widgets.twimg.com platform.twitter.com twitter.com;img-src 'self' data: *.alibaba.com *.alisoft.com *.aliyun.com *.alipay.com *.aliexpress.com *.taobao.com *.taobao.net https://assets.alicdn.com https://login.alibaba.com *.alicdn.com *.tbcdn.com *.tbcdn.cn *.aliimg.com *.aliunicorn.com *.1688.com https://*.1688.com *.taobaocdn.com *.taobaocdn.cn *.mmstat.com *.alimama.com *.alimama.cn *.amap.com *.meitipu.com yui.yahooapis.com *.amap.com http://localhost.wwbizsrv.alibaba.com:4012 http://localhost.wwbizsrv.alibaba.com:4812 https://localhost.wwbizsrv.alibaba.com:4013 https://localhost.wwbizsrv.alibaba.com:4813 *.cnzz.com *.cnzz.net www.google.com apis.google.com translate.googleapis.com translate.google.com widgets.twimg.com platform.twitter.com twitter.com www.google-analytics.com www.googleadservices.com googleads.g.doubleclick.net stats.g.doubleclick.net;script-src 'self' 'unsafe-inline' 'unsafe-eval' *.alibaba.com *.alisoft.com *.aliyun.com *.alipay.com *.aliexpress.com *.taobao.com *.taobao.net https://assets.alicdn.com https://login.alibaba.com *.alicdn.com *.tbcdn.com *.tbcdn.cn *.aliimg.com *.aliunicorn.com *.1688.com https://*.1688.com *.taobaocdn.com *.taobaocdn.cn *.mmstat.com *.alimama.com *.alimama.cn *.amap.com *.meitipu.com yui.yahooapis.com *.amap.com http://localhost.wwbizsrv.alibaba.com:4012 http://localhost.wwbizsrv.alibaba.com:4812 https://localhost.wwbizsrv.alibaba.com:4013 https://localhost.wwbizsrv.alibaba.com:4813 *.cnzz.com *.cnzz.net www.google.com apis.google.com translate.googleapis.com translate.google.com widgets.twimg.com platform.twitter.com twitter.com www.google-analytics.com www.googleadservices.com googleads.g.doubleclick.net stats.g.doubleclick.net;;report-uri //pointman.alibaba.com/csp?app=default
• default-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self' wss://*.zopim.com; font-src 'self' data://* *.typekit.net https://v2.zopim.com; frame-src 'self' https://na51.salesforce.com; img-src 'self' https://ahc-assets-admissions-prd.s3.amazonaws.com https://p.typekit.net https://www.google-analytics.com https://*.googleusercontent.com https://v2assets.zopim.io *.zopim.com https://www.facebook.com https://s3-us-west-1.amazonaws.com https://stats.g.doubleclick.net *.americanhonors.org americanhonors.org *.pingdom.net data:; media-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://connect.facebook.net https://v2.zopim.com https://ahc-assets-admissions-prd.s3.amazonaws.com https://use.typekit.net https://js-agent.newrelic.com https://beacon-1.newrelic.com https://www.google-analytics.com https://ajax.googleapis.com https://www.google.com *.pingdom.net *.zopim.com; style-src 'self' 'unsafe-inline' https://ahc-assets-admissions-prd.s3.amazonaws.com https://use.typekit.net https://www.google.com https://ajax.googleapis.com; report-uri https://apply.americanhonors.org/csp-report;
• default-src *.cloud.mail.ru *.clob.mail.ru *.cloud.mail.ru *.datacloudmail.ru *.cldmail.ru *.mail.ru *.imgsmail.ru *.files.attachmail.ru *.mradx.net *.gemius.pl *.weborama.fr *.adriver.ru *.serving-sys.com featherservices.aviary.com d42hh4005hpu.cloudfront.net dme0ih8comzn4.cloudfront.net feather-client-files-aviary-prod-us-east-1.s3.amazonaws.com ; script-src 'unsafe-inline' 'unsafe-eval' *.cloud.mail.ru *.datacloudmail.ru *.cldmail.ru *.mail.ru *.imgsmail.ru *.files.attachmail.ru *.mradx.net *.yandex.ru *.odnoklassniki.ru odnoklassniki.ru *.ok.ru ok.ru *.scorecardresearch.com www.google-analytics.com featherservices.aviary.com d42hh4005hpu.cloudfront.net dme0ih8comzn4.cloudfront.net feather-client-files-aviary-prod-us-east-1.s3.amazonaws.com; img-src data: *; style-src 'unsafe-inline' *.mail.ru *.imgsmail.ru *.files.attachmail.ru *.mradx.net featherservices.aviary.com d42hh4005hpu.cloudfront.net dme0ih8comzn4.cloudfront.net feather-client-files-aviary-prod-us-east-1.s3.amazonaws.com; font-src data: cloud.mail.ru *.imgsmail.ru *.files.attachmail.ru *.mradx.net featherservices.aviary.com d42hh4005hpu.cloudfront.net dme0ih8comzn4.cloudfront.net feather-client-files-aviary-prod-us-east-1.s3.amazonaws.com; frame-src *.mail.ru *.datacloudmail.ru *.cldmail.ru docs.mail.ru *.officeapps.live.com *.mradx.net; object-src data: blob: https://*; report-uri https://cspreport.mail.ru/cloud/;
• default-src https: data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline' 'unsafe-eval'; connect-src https:; report-uri https://syw.report-uri.io/r/default/csp/reportOnly
• default-src 'self' 'unsafe-inline' 'unsafe-eval' data: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' data: apis.google.com *.google-analytics.com *.nextgen.net *.service.nextgen.net *.dev.nextgen.net ; style-src 'self' 'unsafe-inline' data: netdna.bootstrapcdn.com *.googleapis.com ; img-src 'self' data: *.google-analytics.com ; font-src 'self' data: netdna.bootstrapcdn.com *.gstatic.com ; child-src 'self' content.googleapis.com accounts.google.com player.vimeo.com ; frame-ancestors 'self' ; form-action 'self' ; upgrade-insecure-requests ; block-all-mixed-content ; reflected-xss block ; report-uri https://nextgen.report-uri.io/r/default/csp/reportOnly ;
• default-src https: 'self'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self' *.olark.com; font-src 'self' *.gstatic.com *.bootstrapcdn.com *.typekit.com data:; form-action 'self' github.com; frame-ancestors 'none'; frame-src 'self' *.twimg.com itunes.apple.com *.olark.com; img-src 'self' *.s3.amazonaws.com s3.amazonaws.com *.facebook.com *.olark.com *.gstatic.com *.google-analytics.com *.typekit.net data: about:; media-src *.olark.com; object-src 'self'; plugin-types application/x-shockwave-flash; script-src 'self' maps.google.com maps.googleapis.com *.google-analytics.com *.olark.com *.facebook.net *.bootstrapcdn.com *.typekit.com; style-src 'self' 'unsafe-inline' *.googleapis.com *.olark.com *.bootstrapcdn.com; upgrade-insecure-requests; report-uri https://report-uri.io/example-csp
• default-src 'self'; connect-src 'self' https://www.google-analytics.com https://stats.g.doubleclick.net performance.typekit.net; font-src 'self' data: https://fonts.typekit.net https://use.typekit.net; frame-src https://jira.ignitesales.com; img-src 'self' data: p.typekit.net https://www.google-analytics.com; script-src 'self' 'unsafe-eval' https://use.typekit.net https://www.google-analytics.com https://jira.ignitesales.com; style-src 'self' 'unsafe-inline' https://use.typekit.net; report-uri /lift/content-security-policy-report
• default-src https: 'unsafe-inline'; img-src robohash.org secure.gravatar.com lunchomat.s3-eu-central-1.amazonaws.com lunchomat-dev.s3-eu-central-1.amazonaws.com 'self'
• frame-ancestors ; report-uri https://csp.eservice.emarsys.com/csp-report;
• default-src 'self'; script-src 'self' 'unsafe-eval' https://widget.uservoice.com https://by2.uservoice.com https://maps.googleapis.com https://cdn.mxpnl.com https://www.gstatic.com https://www.google.com; img-src 'self' https://csi.gstatic.com/ https://pumpjack-uploads.s3.amazonaws.com https://maps.googleapis.com https://maps.gstatic.com data:; connect-src 'self' https://apis.google.com https://api.mixpanel.com https://www.quandl.com; style-src 'self' 'unsafe-inline'; report-uri /cspreport/; frame-src 'self' https://widget.uservoice.com https://www.google.com; font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com data:
• frame-ancestors 'self';report-uri 'https://f4bd454777554d73001bf6ec3ddfe8c4.report-uri.io/r/default/csp/reportOnly'
• default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self' https://geodata.nationaalgeoregister.nl; style-src 'self'; font-src 'self'; report-uri https://06c3b8b6d985cbe1e6cecd7c5143bf4a.report-uri.io/r/default/csp/reportOnly
• default-src https:
• default-src *.omnivox.ca 'unsafe-eval' 'unsafe-inline'; img-src * data: blob:; script-src *.omnivox.ca www.beanstream.com www.google.com www.gstatic.com 'unsafe-eval' 'unsafe-inline'; child-src *.omnivox.ca www.google.com *.vimeo.com www.dailymotion.com www.youtube.com ovx://*; connect-src *.omnivox.ca www.beanstream.com *.vimeo.com www.api.dailymotion.com www.googleapis.com query.yahooapis.com; object-src *.omnivox.ca www.metacafe.com; report-uri /WebApplication/Module.COMMUN/Security/CSPReports
• default-src 'self'; img-src *; style-src 'unsafe-inline'; script-src 'unsafe-inline' 'unsafe-eval'
• default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https:; report-uri /error/js; img-src 'self' https: data:;
• default-src 'self' about: data: 'unsafe-inline' 'unsafe-eval' https://docs.google.com https://ssl.google-analytics.com https://ajax.aspnetcdn.com https://*.googlecode.com https://*.gemcloud.nl https://code.jquery.com wss://*.grexx.net wss://*.grexxboxx.com https://*.grexxboxx.com https://*.youtube.com https://themes.googleusercontent.com https://netdna.bootstrapcdn.com https://secure.gravatar.com https://*.googleapis.com https://*.gstatic.com; report-uri : /report;
• default-src 'self' platform.rokt.com partner.rokt.com rokt.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' connect.facebook.net apps.rokt.com api.rokt.com roktcdn1.akamaized.net rokt.com platform.rokt.com partner.rokt.com track.hubspot.com forms.hubspot.com js.hs-analytics.net player.vimeo.com www.google-analytics.com; style-src 'self' 'unsafe-inline' roktcdn1.akamaized.net rokt.com partner.rokt.com platform.rokt.com hello.myfonts.net maxcdn.bootstrapcdn.com db.onlinewebfonts.com fonts.googleapis.com; font-src 'self' rokt.com partner.rokt.com platform.rokt.com maxcdn.bootstrapcdn.com db.onlinewebfonts.com fonts.gstatic.com; img-src 'self' roktcdn1.akamaized.net rokt.com platform.rokt.com partner.rokt.com stats.g.doubleclick.net www.google-analytics.com; connect-src 'self' api.rokt.com apps.rokt.com roktcdn1.akamaized.net platform.rokt.com bam.nr-data.net; frame-src 'self' rokt.com; report-uri https://roktdev.report-uri.io/r/default/csp/reportOnly
• default-src 'none' https; img-src 'self' https://signin.aws.amazon.com/ https://internal-cdn.amazon.com/ s3.cn-north-1.amazonaws.com.cn https://media.amazonwebservices.com https://s3.amazonaws.com https://aws-marketing.integ.amazon.com https://*.cloudfront.net; media-src 'self' https://media.amazonwebservices.com https://*.cloudfront.net; script-src 'self' signin.aws.amazon.com 'unsafe-inline'; style-src 'self' 'unsafe-inline'; report-uri /metrics/cspreport;
• default-src 'self'; child-src blob:; script-src 'self' 'unsafe-inline' blob: https://static.wunderlist.com https://ecn.dev.virtualearth.net; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.wunderlist.com https://*.wunderlist.io https://*.s3.amazonaws.com https://notify.bugsnag.com https://www.bing.com; font-src https://static.wunderlist.com https://d1l1r288vf46ed.cloudfront.net; media-src 'self' https://*.wunderlist.com; connect-src 'self' https://*.wunderlist.com https://*.wunderlist.io wss://*.wunderlist.com https://*.s3.amazonaws.com https://ssl.google-analytics.com; frame-src 'none'; object-src 'none'; report-uri /report/csp;
• form-action 'self' ; report-uri https://nextgen.report-uri.io/r/default/csp/reportOnly ;
• default-src 'none'; script-src 'self' 'unsafe-eval' https://www.google.com 'nonce-c1c8becb-a98a-47b9-a1ec-c9196066f7ff'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://www.google.com; child-src 'self'; font-src 'self'; connect-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; object-src https://www.google.com; report-uri /report-violation
• default-src https: data: 'self' 'unsafe-inline'; report-uri https://pluginalliance.report-uri.io/r/default/csp/reportOnly
• default-src 'self' 'unsafe-inline' 'unsafe-eval' https: wss: data: https://*.brandmaker.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https: data:; img-src 'self' https: data:; media-src 'self' https:; connect-src 'self' https: wss:; manifest-src 'self'; object-src 'self' https:; child-src 'self' https:; report-uri https://brandmaker.report-uri.io/r/default/csp/reportOnly;
• default-src *.omnivox.ca ovx://* 'unsafe-eval' 'unsafe-inline'; img-src * data: blob:; script-src *.omnivox.ca www.beanstream.com www.google.com www.gstatic.com 'unsafe-eval' 'unsafe-inline'; child-src *.omnivox.ca www.google.com *.vimeo.com www.dailymotion.com www.youtube.com ovx://*; connect-src *.omnivox.ca www.beanstream.com *.vimeo.com www.api.dailymotion.com www.googleapis.com query.yahooapis.com; object-src *.omnivox.ca www.metacafe.com; report-uri /WebApplication/Module.COMMUN/Security/CSPReports
• default-src https: wss: 'unsafe-inline' 'unsafe-eval';font-src data: https:; report-uri https://thecoursekey.report-uri.io/r/default/csp/reportOnly;
• script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.clbspot.com cdn2.clbspot.com collabspot-v3.storage.googleapis.com www.google-analytics.com cdn.mxpnl.com; style-src 'self' 'unsafe-inline' cdn.clbspot.com cdn2.clbspot.com collabspot-v3.storage.googleapis.com fonts.googleapis.com maxcdn.bootstrapcdn.com; default-src 'none'; frame-src 'none'; img-src 'self' data: cdn2.clbspot.com cdn.clbspot.com collabspot-v3.storage.googleapis.com http://logo.clearbit.com www.google-analytics.com; media-src 'none'; child-src 'self' *.clbspot.com; connect-src 'self' www.google-analytics.com sentry.collabspot.com api.mixpanel.com; font-src 'self' fonts.gstatic.com data: maxcdn.bootstrapcdn.com; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; report-uri https://sentry.collabspot.com/api/11/csp-report/?sentry_key=e6a65549f7384200b8f9fad25b379882
• font-src 'self' http://fonts.gstatic.com/ https://fonts.gstatic.com/ http://static.fyndit.com/ https://static.fyndit.com/ http://themes.googleusercontent.com/ https://themes.googleusercontent.com/;, media-src 'self' http://i.kuonamaoni.com/ http://*.vzaar.com/;, object-src 'self' http://i.kuonamaoni.com/ http://*.vzaar.com/;, report-uri /csp_report?_xsrf=2|c662356a|c5b22d56402533de987b3e7f560a8e2c|1495199825
• default-src * 'unsafe-eval' 'unsafe-inline' data:;report-uri //pointman.alibaba.com/csp?app=ae_default
• default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src * data:; media-src 'none'; object-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self'; upgrade-insecure-requests; report-uri
• default-src 'none'; connect-src 'self' api.raygun.io m.addthis.com; img-src 'self' data: ssl.google-analytics.com; font-src 'self' fonts.gstatic.com; object-src 'self' data: www.gstatic.com; media-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' ssl.google-analytics.com www.google.com www.gstatic.com s7.addthis.com fast.wistia.net; style-src 'self' 'unsafe-inline' ajax.googleapis.com www.google.com www.gstatic.com fonts.googleapis.com; child-src 'self' fast.wistia.com s7.addthis.com *.acclipse.com *.cchifirm.us *.cchifirm.ca; frame-ancestors 'self'; form-action 'self'; report-uri https://wkifirm.report-uri.io/r/default/csp/reportOnly
• script-src *.googleapis.com *.facebook.net *.typekit.net *.pingdom.net *.pinterest.com *.google.com *.google-analytics.com *.googleadservices.com *.gstatic.com seal-easttexas.bbb.org *.brightcove.net *.eccmp.com *.annies-publishing.com *.zencdn.net *.bing.com code.jquery.com *.shareasale.com *.emjcd.com *.thawte.com *.anniescatalog.com admin.anniescatalog.com 'self' 'unsafe-inline' 'unsafe-eval'; report-uri /ajax/content_policy_violation.php
• img-src https: data:;report-uri https://www.onemorething.nl/wp-json/omt/csp-report;
• default-src 'none'; script-src 'self' https://maps.googleapis.com; connect-src 'self' wss://procensus.com https://sentry.io; object-src https://procensus.com/pdf/; img-src 'self' data: blob: https://maps.googleapis.com https://maps.gstatic.com https://www.google-analytics.com https://s3-eu-west-1.amazonaws.com/procensus-company-logos/ https://s3-eu-west-1.amazonaws.com/procensus-manager-profile-pics/ https://csi.gstatic.com https://procensus-static-images.s3-eu-west-1.amazonaws.com; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; report-uri https://sentry.io/api/147598/csp-report/?sentry_key=f4e33cc37d3b4e6788d97f1e70b0b0da&sentry_release=1-master-1793:29b9cfa33fb8
• default-src 'self' https://pickaxis.com https://gameon365.net; script-src 'self' 'unsafe-inline' https://pickaxis.com https://gameon365.net; style-src 'self' 'unsafe-inline' https://pickaxis.com https://gameon365.net; img-src *; connect-src 'self' https://pickaxis.com; media-src *; object-src 'none'; child-src *; frame-ancestors 'self' *.pickaxis.com https://pickaxis.com; form-action 'self' https://pickaxis.com; disown-opener; sandbox allow-forms allow-same-origin allow-scripts allow-top-navigation; reflected-xss block; referrer origin-when-cross-origin; report-uri https://pickaxis.report-uri.io/r/default/csp/reportOnly;
• default-src 'self' update.auerswald.de; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; child-src 'self'; frame-src 'self'; report-uri /cspviolation;
• default-src 'self' 'unsafe-inline'; report-uri https://www.cs.ait.ac.th/cgi-bin/report

Related headers

• Content-Type
• Date
• Server
• Connection
• Content-Length
• Cache-Control
• Strict-Transport-Security
• X-Frame-Options
• Location
• X-Content-Type-Options
• X-Xss-Protection
• Set-Cookie
• Content-Encoding
• Vary
• Expires
• Transfer-Encoding
• Pragma
• X-Powered-By
• Keep-Alive
• Etag
• Last-Modified
• X-Request-Id
• X-Ua-Compatible
• X-Download-Options
• X-Permitted-Cross-Domain-Policies
• P3P
• X-Runtime
• Content-Security-Policy
• Content-Language
• Accept-Ranges

---

Share your comments or questions with us

We always read all your comments. If your question is of general interest, it may be added to this page for the benefit of everyone.

Write a comment

Submit feedback