X-Content-Security-Policy-Report-Only HTTP Header

Common values for this header

• default-src 'self' localhost:*; style-src 'self' localhost:* https://fonts.googleapis.com; script-src 'self' localhost:* http://extjs.cachefly.net https://ecn.dev.virtualearth.net https://ssl.google-analytics.com http://www.google-analytics.com; font-src 'self' localhost:* https://themes.googleusercontent.com; img-src *; media-source: 'none';
• default-src 'self'; connect-src 'self' https://www.google-analytics.com https://stats.g.doubleclick.net performance.typekit.net; font-src 'self' data: https://fonts.typekit.net https://use.typekit.net; frame-src https://jira.ignitesales.com; img-src 'self' data: p.typekit.net https://www.google-analytics.com; script-src 'self' 'unsafe-eval' https://use.typekit.net https://www.google-analytics.com https://jira.ignitesales.com; style-src 'self' 'unsafe-inline' https://use.typekit.net; report-uri /lift/content-security-policy-report
• default-src 'none' https; img-src 'self' https://signin.aws.amazon.com/ https://internal-cdn.amazon.com/ s3.cn-north-1.amazonaws.com.cn https://media.amazonwebservices.com https://s3.amazonaws.com https://aws-marketing.integ.amazon.com https://*.cloudfront.net; media-src 'self' https://media.amazonwebservices.com https://*.cloudfront.net; script-src 'self' signin.aws.amazon.com 'unsafe-inline'; style-src 'self' 'unsafe-inline'; report-uri /metrics/cspreport;

Related headers

• Content-Type
• Cache-Control
• Pragma
• Date
• Server
• Content-Length
• X-Ua-Compatible
• Connection
• Location
• Strict-Transport-Security
• P3P
• Set-Cookie
• Expires
• X-Content-Type-Options
• X-Xss-Protection
• Content-Security-Policy-Report-Only
• X-Webkit-Csp-Report-Only

---

Share your comments or questions with us

We always read all your comments. If your question is of general interest, it may be added to this page for the benefit of everyone.

Write a comment

Submit feedback