Directive: report uri

Overview

The report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

Warning

In CSP Level 3, the report-uri directive is deprecated in favor or report-to which has a different syntax. Not all browsers support report-to yet, so we recommend using BOTH until browser support for report-to improves.

Required reading:

• Can I use report-uri?
• MDN Web Docs reference

Usage examples

Accepts one or more fully-qualified URLs, without username, password, or fragment.

report-uri https://ryanparman.report-uri.com/r/d/csp/wizard

report-uri https://ryanparman.report-uri.com/r/d/csp/wizard wss://example.org

Fallbacks

❌ report-uri does not fallback to default-src.

Possible errors

• CSP-0400 — [ERROR] directive %s has an invalid value %s
• CSP-0401 — [ERROR] directive %s: could not parse as a URL: %s
• CSP-0402 — [ERROR] directive %s: URL %s is missing a SCHEME, which is required
• CSP-0403 — [ERROR] directive %s: URL %s includes a FRAGMENT, which is disallowed
• CSP-0805 — [WARN] directive report-uri is valid in CSP2, but will be deprecated in CSP3

For developers

ABNF (CSP3)

directive-name  = "report-uri"
directive-value = uri-reference *( required-ascii-whitespace uri-reference )

See ABNF: uri-reference

Type

• uri-reference in RFC 3986 § 4.1

References

• CSP Level 2 reference
• CSP Level 3 reference
• MDN Web Docs reference
• Can I use report-uri?