canmove, Confirmed users
1,537
edits
Security/CSP/Specification: Difference between revisions
Jump to navigation
Jump to search
→Report-Only mode
| Line 468: | Line 468: | ||
== Report-Only mode == | == Report-Only mode == | ||
To ease deployment, CSP can be deployed in "report-only" mode where a policy served is not enforced, but any violations are reported to a provided URI. The effect is a "what if" scenario where a site can specify a policy and measure how much breaks. | To ease deployment, CSP can be deployed in "report-only" mode where a policy served is not enforced, but any violations are reported to a provided URI. The effect is a "what if" scenario where a site can specify a policy and measure how much breaks. Additionally, a report-only header can be used to test a future revision to a policy without actually deploying it. | ||
Report-only mode is enabled by specifying a policy in the <tt>X-Content-Security-Policy-Report-Only</tt> header instead of the <tt>X-Content-Security-Policy</tt> header. | Report-only mode is enabled by specifying a policy in the <tt>X-Content-Security-Policy-Report-Only</tt> header instead of the <tt>X-Content-Security-Policy</tt> header. | ||
If both a <tt>X-Content-Security-Policy-Report-Only</tt> header and a <tt>X-Content-Security-Policy</tt> header are present in the same response, | If both a <tt>X-Content-Security-Policy-Report-Only</tt> header and a <tt>X-Content-Security-Policy</tt> header are present in the same response, both policies are honored. The policy specified in <tt>X-Content-Security-Policy</tt> headers is enforced. All loads/scripts are compared the one specified in the <tt>X-Content-Security-Policy-Report-Only</tt> header, and any violations generate reports but are not enforced. | ||
=HTTP Server Behavior= | =HTTP Server Behavior= | ||