Content Security Policy is used by a web server to declare a list of trusted content types (images, scripts, media etc) and origins from which they can be safely loaded as intended by the website authors. The Content-Security-Policy-Report-Only header instruct the browser to enable CSP in "report-only" mode where no content blocking is enforced and would-be-blocked origins are reported allowing website authors to fine-tune the policy.

Reference...

We have seen 1355 websites setting the Content-Security-Policy-Report-Only HTTP header and 2718 unique values of this header.

  • ipsec.pl connect-src http://ajax.googleapis.com https://api.mixpanel.com http://api.mixpanel.com 'self' ; child-src 'none' ; font-src data: 'self' https://ipsec.pl ; form-action https://bitpay.com 'self' ; frame-ancestors about ; frame-src https://platform.twitter.com https://googleads.g.doubleclick.net https://disqus.com http://disqus.com http://static.ak.facebook.com https://s-static.ak.facebook.com http://googleads.g.doubleclick.net https://accounts.google.com https://apis.google.com http://www.facebook.com https://www.facebook.com https://docs.google.com ; img-src https://bitpay.com https://www.paypalobjects.com data: https://ddfnmo6ev4fd.cloudfront.net https://syndication.twitter.com http://ssl.gstatic.com https://ssl.gstatic.com http://www.google-analytics.com 'self' https://licensebuttons.net https://cdn.mxpnl.com https://i.creativecommons.org http://webcookies.org http://i.creativecommons.org https://referrer.disqus.com https://a.disquscdn.com http://referrer.disqus.com http://a.disquscdn.com https://cspbuilder.info http://ipsec.pl https://pagead2.googlesyndication.com https://ipsec.pl http://www.userfriendly.org http://www.commoncriteriaportal.org https://translate.googleapis.com https://www.google.com http://books.google.com http://www.isaca.org.pl ; media-src 'none' ; object-src http://www.gstatic.com https://www.gstatic.com ; script-src 'unsafe-inline' https://cdn.shorte.st 'self' http://cdn.shorte.st http://ajax.googleapis.com https://connect.facebook.net https://platform.twitter.com https://pagead2.googlesyndication.com https://ipsecpl.disqus.com https://cdn.mxpnl.com https://a.disquscdn.com http://pagead2.googlesyndication.com https://apis.google.com http://cdn.mxpnl.com http://echelonpl.disqus.com http://a.disquscdn.com http://connect.facebook.net http://kabardianscom.disqus.com http://www.google-analytics.com https://translate.googleapis.com https://ipsec.pl ; style-src 'unsafe-eval' 'self' https://a.disquscdn.com http://a.disquscdn.com 'unsafe-inline' https://ipsec.pl https://translate.googleapis.com 'sha256-biLFinpqYMtWHmXfkA1BPeCY0_fNt46SAZ-BBk5YUog=' 'sha256-8m4ZfQO1dcDrd8NIqrD65j_oFAvwatY-qnj3LyeMeNU=' 'sha256-z2SGTT4ILa-t7ykFA7BFHxiwrAWlkHO66GjvBX1Egdg=' 'sha256-Uhw0UazBxCkSgpfk0N4m7LwQBg0Xp_A2YeAjqihrdcg=' 'sha256-hVJ5c_E1lGR-ZZ7IfDKLBFKn7tRJhckCloBIaK4lQRA=' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' ; default-src 'none' ; strict-mixed-content-checking; reflected-xss filter; referrer origin-when-cross-origin;, connect-src http://ajax.googleapis.com https://api.mixpanel.com http://api.mixpanel.com 'self' ; child-src 'none' ; font-src data: 'self' https://ipsec.pl ; form-action https://bitpay.com 'self' ; frame-ancestors about ; frame-src https://platform.twitter.com https://googleads.g.doubleclick.net https://disqus.com http://disqus.com http://static.ak.facebook.com https://s-static.ak.facebook.com http://googleads.g.doubleclick.net https://accounts.google.com https://apis.google.com http://www.facebook.com https://www.facebook.com https://docs.google.com ; img-src https://bitpay.com https://www.paypalobjects.com data: https://ddfnmo6ev4fd.cloudfront.net https://syndication.twitter.com http://ssl.gstatic.com https://ssl.gstatic.com http://www.google-analytics.com 'self' https://licensebuttons.net https://cdn.mxpnl.com https://i.creativecommons.org http://webcookies.org http://i.creativecommons.org https://referrer.disqus.com https://a.disquscdn.com http://referrer.disqus.com http://a.disquscdn.com https://cspbuilder.info http://ipsec.pl https://pagead2.googlesyndication.com https://ipsec.pl http://www.userfriendly.org http://www.commoncriteriaportal.org https://translate.googleapis.com https://www.google.com http://books.google.com http://www.isaca.org.pl ; media-src 'none' ; object-src http://www.gstatic.com https://www.gstatic.com ; script-src https://cdn.shorte.st 'self' http://cdn.shorte.st http://ajax.googleapis.com https://connect.facebook.net https://platform.twitter.com https://pagead2.googlesyndication.com https://ipsecpl.disqus.com https://cdn.mxpnl.com https://a.disquscdn.com http://pagead2.googlesyndication.com https://apis.google.com http://cdn.mxpnl.com http://echelonpl.disqus.com http://a.disquscdn.com http://connect.facebook.net http://kabardianscom.disqus.com http://www.google-analytics.com https://translate.googleapis.com https://ipsec.pl ; style-src 'unsafe-eval' 'self' https://a.disquscdn.com http://a.disquscdn.com 'unsafe-inline' https://ipsec.pl https://translate.googleapis.com 'sha256-biLFinpqYMtWHmXfkA1BPeCY0_fNt46SAZ-BBk5YUog=' 'sha256-8m4ZfQO1dcDrd8NIqrD65j_oFAvwatY-qnj3LyeMeNU=' 'sha256-z2SGTT4ILa-t7ykFA7BFHxiwrAWlkHO66GjvBX1Egdg=' 'sha256-Uhw0UazBxCkSgpfk0N4m7LwQBg0Xp_A2YeAjqihrdcg=' 'sha256-hVJ5c_E1lGR-ZZ7IfDKLBFKn7tRJhckCloBIaK4lQRA=' 'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' ; default-src 'none' ; strict-mixed-content-checking; reflected-xss filter; referrer origin-when-cross-origin;
  • zyalt.livejournal.com default-src *.livejournal.com *.livejournal.net; script-src *.livejournal.com *.livejournal.net *.google-analytics.com *.googletagmanager.com *.scorecardresearch.com *.top100.ru *.yandex.ru *.criteo.com yastatic.net *.plista.com *.facebook.com vk.com *.ok.ru *.pingdom.com *.pingdom.net *.vk.com *.twitter.com *.twimg.com *.facebook.net *.instagram.com *.services.livejournal.com *.videos.livejournal.com *.adfox.ru *.exelator.com *.rambler.ru *.rubiconproject.com *.yahooapis.com *.newrelic.com *.nr-data.net *.doubleclick.net googleads.g.doubleclick.net *.lj.ru *.googleapis.com *.youtube.com *.varlamov.me *.varlamov.com *.google.com static.xx.fbcdn.net dsp-rambler.ru openstat.net *.rnet.plus twemoji.maxcdn.com *.googletagservices.com *.googlesyndication.com mc.yandex.ru ymetrica.com telegram.org 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src https: data:; frame-src https:; font-src https: data:; connect-src *.livejournal.com *.livejournal.net *.services.livejournal.com *.google-analytics.com ssp.rambler.ru *.yandex.ru *.ssp.rambler.ru lj.stat.eagleplatform.com *.pingdom.net *.googleapis.com kraken.rambler.ru *.twitter.com *.youtube.com googleads.g.doubleclick.net static.xx.fbcdn.net *.lj.ru *.rnet.plus mc.yandex.ru ymetrica.com; report-uri https://livejournal.com/csp_reports
  • www.google.com script-src 'nonce-XJ8mXvdsugRiSxtShlyQgWH3Tnw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/recaptcha/1
  • youtube.com default-src 'self' 'unsafe-inline' 'unsafe-eval' https:; img-src https: data:; report-uri /csp_204?t=https&vcs=c55c33aa3ecbde501decf08bc8fa151c&ts=Thu+Mar+19+18%3A05%3A45+2015+%281426813545%29&pcl=89086903
  • litographs.com default-src 'self' *; connect-src 'self' *; font-src 'self' * data:; frame-src 'self' *; img-src 'self' * data:; media-src 'self' *; object-src 'self' *; script-src 'self' * 'unsafe-inline' 'unsafe-eval'; style-src 'self' * 'unsafe-inline'; frame-ancestors www.litographs.com; report-uri /csp-report/73bd5db5-fdcb-477d-b65a-e0184ddb6d7d?source%5Baction%5D=index&source%5Bcontroller%5D=shop&source%5Bsection%5D=storefront;
  • www.youtube.com connect-src https:; default-src 'self' 'unsafe-inline' 'unsafe-eval' https:; img-src https: data:; media-src https: blob:; report-uri /csp_204?t=https&vcs=f324a12ec355a21ac2fb325add8fea55&pcl=167218539&plabel=youtube_20170830_0_RC3
  • www.huffingtonpost.com default-src 'self' data: https: blob:; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' data: https:; worker-src * blob:; report-uri https://huffpost.report-uri.io/r/default/csp/reportOnly;
  • www.ew.com default-src 'self' https: wss: data: blob: none: gsa: 'unsafe-inline' 'unsafe-eval'; report-uri https://csp-endpoint.timeinc.net/
  • www.bild.de script-src 'unsafe-inline' 'unsafe-eval' 'self' blob: data: https:; style-src 'self' 'unsafe-inline' blob: data: https:; default-src 'self' https:; img-src https: blob: data: android-webview-video-poster:; frame-src blob: data: https:; worker-src blob: data: https:; child-src blob: data: https:; object-src 'self'; font-src 'self' https: blob: data: safari-extension://*; media-src 'self' blob: data: https:; connect-src wss: blob: data: https:; report-uri /csp_ep
  • www.aftonbladet.se default-src 'self' 'unsafe-eval' 'unsafe-inline' https: blob:;style-src https: 'unsafe-inline';connect-src https:;frame-src https: easy-js:;script-src 'unsafe-eval' 'unsafe-inline' https: blob: data:;font-src https: data:;img-src https: data:;media-src https: blob:;report-uri https://collector.schibsted.io/api/v1/csp/aftonbladet/publishing/pro
  • www.svd.se default-src https: data: blob: react-js-navigation: 'unsafe-inline' 'unsafe-eval'; report-uri https://svd.report-uri.io/r/default/csp/reportOnly
  • sport.idnes.cz default-src 'self' https: 'unsafe-inline' data: 'unsafe-eval'; report-uri https://servix.idnes.cz/log/csp-report.aspx?w=sport&d=2018-05-25
  • www.vg.no default-src 'self' 'unsafe-eval' 'unsafe-inline' https: blob:;style-src https: 'unsafe-inline';connect-src https:;frame-src https:;script-src 'unsafe-eval' 'unsafe-inline' https: blob: data:;font-src https: data:;img-src https: data:;media-src https: blob:; report-uri https://collector.schibsted.io/api/v1/csp/vg/publishing/pro
  • www.nrk.no default-src 'self' https:; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; connect-src 'self' https: wss://ws.pusherapp.com; report-uri https://adb6bb6976c70068813b1d54366f2e61.report-uri.io/r/default/csp/reportOnly;
  • www.smh.com.au default-src https: data: blob: 'unsafe-inline' 'unsafe-eval' 'report-sample'; img-src http: https: data: blob:; media-src http: https: data: blob:; report-uri https://csp.ffx.io/
  • siteclinic.ru default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report
  • followweddingco.com.tw default-src *; img-src https:; frame-src 'none'; report-uri www.followweddingco.com.tw
  • brilliant.co default-src 'self' *; connect-src 'self' *; font-src 'self' * data:; frame-src 'self' *; img-src 'self' * data:; media-src 'self' *; object-src 'self' *; script-src 'self' * 'unsafe-inline' 'unsafe-eval'; style-src 'self' * 'unsafe-inline'; frame-ancestors www.brilliant.co; report-uri /csp-report/6e06ff7e-c16f-4cc0-9464-dbcad12235ec?source%5Baction%5D=index&source%5Bcontroller%5D=shop&source%5Bsection%5D=storefront;
  • kotaku.com default-src https: 'unsafe-inline' 'self'; media-src https: blob:; worker-src https: blob:; img-src data: https:; script-src 'unsafe-eval' 'unsafe-inline' https:; block-all-mixed-content; report-uri https://kinja-debug.firebaseio.com/csp.json
  • airbnb.gr default-src 'self' login.airbnb.com *.muscache.com *.gstatic.com *.googleapis.com *.siftscience.com; connect-src 'self' *.muscache.com *.inspectlet.com inspectletws.herokuapp.com *.ethn.io; font-src 'self' login.airbnb.com *.muscache.com *.gstatic.com *.googleapis.com *.siftscience.com; frame-src 'self' login.airbnb.com *.muscache.com *.gstatic.com *.googleapis.com *.siftscience.com *.facebook.com *.doubleclick.net ldp.airbnb.com; img-src 'self' login.airbnb.com *.muscache.com *.gstatic.com *.googleapis.com *.siftscience.com www.google-analytics.com *.doubleclick.net www.google.com api.nanigans.com *.facebook.com *.akamaihd.net api.swiftype.com impression.yozio.com *.inspectlet.com data:; media-src 'self' login.airbnb.com *.muscache.com *.gstatic.com *.googleapis.com *.siftscience.com; object-src 'self' login.airbnb.com *.muscache.com *.gstatic.com *.googleapis.com *.siftscience.com; script-src 'sha256-u2Q8q05eE9sGTtoF1jHQr/MyxABO6Iqnm4kqfevVVq8=' 'sha256-8Kp4YIWqA8yhCJaTWnmB7Wv7OjnXnX661ygwccVuDRw=' 'sha256-+DiANpY+GXjnCGOB1JGKEkNzE8PgbQY1SG6gUV2nvJw=' 'sha256-lvqccA0Wog7L8KmHIABM+Wr1+bJyIYtlR5NooOvweM4=' 'self' login.airbnb.com *.muscache.com *.gstatic.com *.googleapis.com *.siftscience.com www.google-analytics.com www.googletagmanager.com www.googleadservices.com connect.facebook.net cdn.embedly.com *.facebook.com api.swiftype.com 'unsafe-eval' 'unsafe-inline' *.inspectlet.com *.ethn.io; style-src 'self' login.airbnb.com *.muscache.com *.gstatic.com *.googleapis.com *.siftscience.com 'unsafe-inline';
  • luxyhair.com default-src 'self' *; connect-src 'self' *; font-src 'self' * data:; frame-src 'self' *; img-src 'self' * data:; media-src 'self' *; object-src 'self' *; script-src 'self' * 'unsafe-inline' 'unsafe-eval'; style-src 'self' * 'unsafe-inline'; frame-ancestors www.luxyhair.com; report-uri /csp-report/37d349ce-1be8-4d5f-b9ad-e77fbb4904d4?source%5Baction%5D=index&source%5Bcontroller%5D=shop&source%5Bsection%5D=storefront;
  • hakshop.myshopify.com default-src 'self' *; connect-src 'self' *; font-src 'self' * data:; frame-src 'self' *; img-src 'self' * data:; media-src 'self' *; object-src 'self' *; script-src 'self' * 'unsafe-inline' 'unsafe-eval'; style-src 'self' * 'unsafe-inline'; frame-ancestors hakshop.myshopify.com; report-uri /csp-report/c0244361-fac8-42ec-a332-0fcdedff1720?source%5Baction%5D=index&source%5Bcontroller%5D=shop&source%5Bsection%5D=storefront;
  • www.pudelek.pl block-all-mixed-content; report-uri https://www.wp.pl/v1/csplog
  • www.ukrinform.ua default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report
  • bodyjewelrysource.com default-src 'self' *; connect-src 'self' *; font-src 'self' * data:; frame-src 'self' *; img-src 'self' * data:; media-src 'self' *; object-src 'self' *; script-src 'self' * 'unsafe-inline' 'unsafe-eval'; style-src 'self' * 'unsafe-inline'; frame-ancestors bodyjewelrysource.com; report-uri /csp-report/5889af27-5b59-4d68-b666-ad4780bf6f4b?source%5Baction%5D=index&source%5Bcontroller%5D=shop&source%5Bsection%5D=storefront;
Fully automated RESTful API is now available. Subscribe for your free trial today!