Changes

To ease deployment, CSP can be deployed in "report-only" mode where a policy served is not enforced, but any violations are reported to a provided URI. The effect is a "what if" scenario where a site can specify a policy and measure how much breaks. Additionally, a report-only header can be used to test a future revision to a policy without actually deploying it.

If both a <tt>X-Content-Security-Policy-Report-Only</tt> header and a <tt>X-Content-Security-Policy</tt> header are present in the same response, a warning is posted to the user agent's error console and any both policies are honored. The policy specified in <tt>X-Content-Security-Policy-Report-Only</tt> headers is ignoredenforced. The policy All loads/scripts are compared the one specified in the <tt>X-Content-Security-Policy-Report-Only</tt> headers is header, and any violations generate reports but are not enforced.