WebCookies logo Web Cookies Scanner

All-in-one free web application security tool. Web application vulnerability and privacy scanner with support for HTTP cookies, Flash, HTML5 localStorage, sessionStorage, CANVAS, Supercookies, Evercookies. Includes a free SSL/TLS, HTML and HTTP vulnerability scanner and URL malware scanner.

Websites setting X-Content-Security-Policy-Report-Only HTTP header

Values

Most popular variants of the header value (we only show this when there's just a bunch of variants):

Legacy and deprecated variant of the Content-Security-Policy-Report-Only header used by Firefox and MSIE browsers in the initial period.

Reference...

We have seen 60 websites setting the X-Content-Security-Policy-Report-Only HTTP header and 32 unique values of this header.

  • zyalt.livejournal.com default-src *.livejournal.com *.livejournal.net; script-src *.livejournal.com *.livejournal.net *.google-analytics.com *.googletagmanager.com *.scorecardresearch.com *.top100.ru *.yandex.ru *.criteo.com yastatic.net *.plista.com *.facebook.com vk.com *.ok.ru *.pingdom.com *.pingdom.net *.vk.com *.twitter.com *.twimg.com *.facebook.net *.instagram.com *.services.livejournal.com *.videos.livejournal.com *.adfox.ru *.exelator.com *.rambler.ru *.rubiconproject.com *.yahooapis.com *.newrelic.com *.nr-data.net *.doubleclick.net googleads.g.doubleclick.net *.lj.ru *.googleapis.com *.youtube.com *.varlamov.me *.varlamov.com *.google.com static.xx.fbcdn.net dsp-rambler.ru openstat.net *.rnet.plus twemoji.maxcdn.com *.googletagservices.com *.googlesyndication.com mc.yandex.ru ymetrica.com telegram.org 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src https: data:; frame-src https:; font-src https: data:; connect-src *.livejournal.com *.livejournal.net *.services.livejournal.com *.google-analytics.com ssp.rambler.ru *.yandex.ru *.ssp.rambler.ru lj.stat.eagleplatform.com *.pingdom.net *.googleapis.com kraken.rambler.ru *.twitter.com *.youtube.com googleads.g.doubleclick.net static.xx.fbcdn.net *.lj.ru *.rnet.plus mc.yandex.ru ymetrica.com; report-uri https://livejournal.com/csp_reports
  • inzoomnet.livejournal.com default-src *.livejournal.com *.livejournal.net; script-src *.livejournal.com *.livejournal.net *.google-analytics.com *.googletagmanager.com *.scorecardresearch.com *.top100.ru *.yandex.ru *.criteo.com yastatic.net *.plista.com *.facebook.com vk.com *.ok.ru *.pingdom.com *.pingdom.net *.vk.com *.twitter.com *.twimg.com *.facebook.net *.instagram.com *.services.livejournal.com *.videos.livejournal.com *.adfox.ru *.exelator.com *.rambler.ru *.rubiconproject.com *.yahooapis.com *.newrelic.com *.nr-data.net *.doubleclick.net googleads.g.doubleclick.net *.lj.ru *.googleapis.com *.youtube.com *.varlamov.me *.varlamov.com *.google.com static.xx.fbcdn.net dsp-rambler.ru openstat.net *.rnet.plus twemoji.maxcdn.com *.googletagservices.com *.googlesyndication.com mc.yandex.ru ymetrica.com telegram.org 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src https: data:; frame-src https:; font-src https: data:; connect-src *.livejournal.com *.livejournal.net *.services.livejournal.com *.google-analytics.com ssp.rambler.ru *.yandex.ru *.ssp.rambler.ru lj.stat.eagleplatform.com *.pingdom.net *.googleapis.com kraken.rambler.ru *.twitter.com *.youtube.com googleads.g.doubleclick.net static.xx.fbcdn.net *.lj.ru *.rnet.plus mc.yandex.ru ymetrica.com; report-uri https://livejournal.com/csp_reports
  • fyentertainment.livejournal.com default-src *.livejournal.com *.livejournal.net; script-src *.livejournal.com *.livejournal.net *.google-analytics.com *.googletagmanager.com *.scorecardresearch.com *.top100.ru *.yandex.ru *.criteo.com yastatic.net *.plista.com *.facebook.com vk.com *.ok.ru *.pingdom.com *.pingdom.net *.vk.com *.twitter.com *.twimg.com *.facebook.net *.instagram.com *.services.livejournal.com *.videos.livejournal.com *.adfox.ru *.exelator.com *.rambler.ru *.rubiconproject.com *.yahooapis.com *.newrelic.com *.nr-data.net *.doubleclick.net googleads.g.doubleclick.net *.lj.ru *.googleapis.com *.youtube.com *.varlamov.me *.varlamov.com *.google.com static.xx.fbcdn.net dsp-rambler.ru openstat.net *.rnet.plus twemoji.maxcdn.com *.googletagservices.com *.googlesyndication.com mc.yandex.ru ymetrica.com telegram.org 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src https: data:; frame-src https:; font-src https: data:; connect-src *.livejournal.com *.livejournal.net *.services.livejournal.com *.google-analytics.com ssp.rambler.ru *.yandex.ru *.ssp.rambler.ru lj.stat.eagleplatform.com *.pingdom.net *.googleapis.com kraken.rambler.ru *.twitter.com *.youtube.com googleads.g.doubleclick.net static.xx.fbcdn.net *.lj.ru *.rnet.plus mc.yandex.ru ymetrica.com; report-uri https://livejournal.com/csp_reports
  • ftse.com policy-uri /http://www.ftse.com/* https://www.ftse.com/*
  • www.ibm.com default-src https: 'unsafe-eval' 'unsafe-inline'
  • soviet-life.livejournal.com default-src *.livejournal.com *.livejournal.net; script-src *.livejournal.com *.livejournal.net *.google-analytics.com *.googletagmanager.com *.scorecardresearch.com *.top100.ru *.yandex.ru *.criteo.com yastatic.net *.plista.com *.facebook.com vk.com *.ok.ru *.pingdom.com *.pingdom.net *.vk.com *.twitter.com *.twimg.com *.facebook.net *.instagram.com *.services.livejournal.com *.videos.livejournal.com *.adfox.ru *.exelator.com *.rambler.ru *.rubiconproject.com *.yahooapis.com *.newrelic.com *.nr-data.net *.doubleclick.net googleads.g.doubleclick.net *.lj.ru *.googleapis.com *.youtube.com *.varlamov.me *.varlamov.com *.google.com static.xx.fbcdn.net dsp-rambler.ru openstat.net *.rnet.plus twemoji.maxcdn.com *.googletagservices.com *.googlesyndication.com mc.yandex.ru ymetrica.com telegram.org *.webturn.ru www.dropbox.com *.criteo.net z.moatads.com r.webturn.ru 'unsafe-inline' 'unsafe-eval'; style-src http: https: data: 'unsafe-inline'; img-src http: https: data:; frame-src http: https:; font-src http: https: data:; connect-src *.livejournal.com *.livejournal.net *.services.livejournal.com *.google-analytics.com ssp.rambler.ru *.yandex.ru *.ssp.rambler.ru lj.stat.eagleplatform.com *.pingdom.net *.googleapis.com kraken.rambler.ru *.twitter.com *.youtube.com googleads.g.doubleclick.net static.xx.fbcdn.net *.lj.ru *.rnet.plus mc.yandex.ru ymetrica.com *.webturn.ru *.criteo.com dsp-rambler.ru *.rambler.ru stats.g.doubleclick.net *.eaglecdn.com wss://www.livejournal.com; report-uri https://livejournal.com/csp_reports
  • assets.secure.checkout.visa.com default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;
  • i-m-ho.livejournal.com default-src *.livejournal.com *.livejournal.net; script-src *.livejournal.com *.livejournal.net *.google-analytics.com *.googletagmanager.com *.scorecardresearch.com *.top100.ru *.yandex.ru *.criteo.com yastatic.net *.plista.com *.facebook.com vk.com *.ok.ru *.pingdom.com *.pingdom.net *.vk.com *.twitter.com *.twimg.com *.facebook.net *.instagram.com *.services.livejournal.com *.videos.livejournal.com *.adfox.ru *.exelator.com *.rambler.ru *.rubiconproject.com *.yahooapis.com *.newrelic.com *.nr-data.net *.doubleclick.net googleads.g.doubleclick.net *.lj.ru *.googleapis.com *.youtube.com *.varlamov.me *.varlamov.com *.google.com static.xx.fbcdn.net dsp-rambler.ru openstat.net *.rnet.plus twemoji.maxcdn.com *.googletagservices.com *.googlesyndication.com mc.yandex.ru ymetrica.com telegram.org *.webturn.ru www.dropbox.com *.criteo.net z.moatads.com r.webturn.ru 'unsafe-inline' 'unsafe-eval'; style-src http: https: data: 'unsafe-inline'; img-src http: https: data:; frame-src http: https:; font-src http: https: data:; connect-src *.livejournal.com *.livejournal.net *.services.livejournal.com *.google-analytics.com ssp.rambler.ru *.yandex.ru *.ssp.rambler.ru lj.stat.eagleplatform.com *.pingdom.net *.googleapis.com kraken.rambler.ru *.twitter.com *.youtube.com googleads.g.doubleclick.net static.xx.fbcdn.net *.lj.ru *.rnet.plus mc.yandex.ru ymetrica.com *.webturn.ru *.criteo.com dsp-rambler.ru *.rambler.ru stats.g.doubleclick.net *.eaglecdn.com wss://www.livejournal.com; report-uri https://livejournal.com/csp_reports
  • andrey-cruz.livejournal.com default-src *.livejournal.com *.livejournal.net; script-src *.livejournal.com *.livejournal.net *.google-analytics.com *.googletagmanager.com *.scorecardresearch.com *.top100.ru *.yandex.ru *.criteo.com yastatic.net *.plista.com *.facebook.com vk.com *.ok.ru *.pingdom.com *.pingdom.net *.vk.com *.twitter.com *.twimg.com *.facebook.net *.instagram.com *.services.livejournal.com *.videos.livejournal.com *.adfox.ru *.exelator.com *.rambler.ru *.rubiconproject.com *.yahooapis.com *.newrelic.com *.nr-data.net *.doubleclick.net googleads.g.doubleclick.net *.lj.ru *.googleapis.com *.youtube.com *.varlamov.me *.varlamov.com *.google.com static.xx.fbcdn.net dsp-rambler.ru openstat.net *.rnet.plus twemoji.maxcdn.com *.googletagservices.com *.googlesyndication.com mc.yandex.ru ymetrica.com telegram.org *.webturn.ru www.dropbox.com *.criteo.net z.moatads.com r.webturn.ru 'unsafe-inline' 'unsafe-eval'; style-src http: https: data: 'unsafe-inline'; img-src http: https: data:; frame-src http: https:; font-src http: https: data:; connect-src *.livejournal.com *.livejournal.net *.services.livejournal.com *.google-analytics.com ssp.rambler.ru *.yandex.ru *.ssp.rambler.ru lj.stat.eagleplatform.com *.pingdom.net *.googleapis.com kraken.rambler.ru *.twitter.com *.youtube.com googleads.g.doubleclick.net static.xx.fbcdn.net *.lj.ru *.rnet.plus mc.yandex.ru ymetrica.com *.webturn.ru *.criteo.com dsp-rambler.ru *.rambler.ru stats.g.doubleclick.net *.eaglecdn.com wss://www.livejournal.com; report-uri https://livejournal.com/csp_reports
  • kitya.livejournal.com default-src *.livejournal.com *.livejournal.net; script-src *.livejournal.com *.livejournal.net *.google-analytics.com *.googletagmanager.com *.scorecardresearch.com *.top100.ru *.yandex.ru *.criteo.com yastatic.net *.plista.com *.facebook.com vk.com *.ok.ru *.pingdom.com *.pingdom.net *.vk.com *.twitter.com *.twimg.com *.facebook.net *.instagram.com *.services.livejournal.com *.videos.livejournal.com *.adfox.ru *.exelator.com *.rambler.ru *.rubiconproject.com *.yahooapis.com *.newrelic.com *.nr-data.net *.doubleclick.net googleads.g.doubleclick.net *.lj.ru *.googleapis.com *.youtube.com *.varlamov.me *.varlamov.com *.google.com static.xx.fbcdn.net dsp-rambler.ru openstat.net *.rnet.plus twemoji.maxcdn.com *.googletagservices.com *.googlesyndication.com mc.yandex.ru ymetrica.com telegram.org *.webturn.ru www.dropbox.com *.criteo.net z.moatads.com r.webturn.ru 'unsafe-inline' 'unsafe-eval'; style-src http: https: data: 'unsafe-inline'; img-src http: https: data:; frame-src http: https:; font-src http: https: data:; connect-src *.livejournal.com *.livejournal.net *.services.livejournal.com *.google-analytics.com ssp.rambler.ru *.yandex.ru *.ssp.rambler.ru lj.stat.eagleplatform.com *.pingdom.net *.googleapis.com kraken.rambler.ru *.twitter.com *.youtube.com googleads.g.doubleclick.net static.xx.fbcdn.net *.lj.ru *.rnet.plus mc.yandex.ru ymetrica.com *.webturn.ru *.criteo.com dsp-rambler.ru *.rambler.ru stats.g.doubleclick.net *.eaglecdn.com wss://www.livejournal.com; report-uri https://livejournal.com/csp_reports
  • zagulska.livejournal.com default-src *.livejournal.com *.livejournal.net; script-src *.livejournal.com *.livejournal.net *.google-analytics.com *.googletagmanager.com *.scorecardresearch.com *.top100.ru *.yandex.ru *.criteo.com yastatic.net *.plista.com *.facebook.com vk.com *.ok.ru *.pingdom.com *.pingdom.net *.vk.com *.twitter.com *.twimg.com *.facebook.net *.instagram.com *.services.livejournal.com *.videos.livejournal.com *.adfox.ru *.exelator.com *.rambler.ru *.rubiconproject.com *.yahooapis.com *.newrelic.com *.nr-data.net *.doubleclick.net googleads.g.doubleclick.net *.lj.ru *.googleapis.com *.youtube.com *.varlamov.me *.varlamov.com *.google.com static.xx.fbcdn.net dsp-rambler.ru openstat.net *.rnet.plus twemoji.maxcdn.com *.googletagservices.com *.googlesyndication.com mc.yandex.ru ymetrica.com telegram.org *.webturn.ru www.dropbox.com *.criteo.net z.moatads.com r.webturn.ru 'unsafe-inline' 'unsafe-eval'; style-src http: https: data: 'unsafe-inline'; img-src http: https: data:; frame-src http: https:; font-src http: https: data:; connect-src *.livejournal.com *.livejournal.net *.services.livejournal.com *.google-analytics.com ssp.rambler.ru *.yandex.ru *.ssp.rambler.ru lj.stat.eagleplatform.com *.pingdom.net *.googleapis.com kraken.rambler.ru *.twitter.com *.youtube.com googleads.g.doubleclick.net static.xx.fbcdn.net *.lj.ru *.rnet.plus mc.yandex.ru ymetrica.com *.webturn.ru *.criteo.com dsp-rambler.ru *.rambler.ru stats.g.doubleclick.net *.eaglecdn.com wss://www.livejournal.com; report-uri https://livejournal.com/csp_reports
  • kashin.livejournal.com default-src *.livejournal.com *.livejournal.net; script-src *.livejournal.com *.livejournal.net *.google-analytics.com *.googletagmanager.com *.scorecardresearch.com *.top100.ru *.yandex.ru *.criteo.com yastatic.net *.plista.com *.facebook.com vk.com *.ok.ru *.pingdom.com *.pingdom.net *.vk.com *.twitter.com *.twimg.com *.facebook.net *.instagram.com *.services.livejournal.com *.videos.livejournal.com *.adfox.ru *.exelator.com *.rambler.ru *.rubiconproject.com *.yahooapis.com *.newrelic.com *.nr-data.net *.doubleclick.net googleads.g.doubleclick.net *.lj.ru *.googleapis.com *.youtube.com *.varlamov.me *.varlamov.com *.google.com static.xx.fbcdn.net dsp-rambler.ru openstat.net *.rnet.plus twemoji.maxcdn.com *.googletagservices.com *.googlesyndication.com mc.yandex.ru ymetrica.com telegram.org 'unsafe-inline' 'unsafe-eval'; style-src https: data: 'unsafe-inline'; img-src https: data:; frame-src https:; font-src https: data:; connect-src *.livejournal.com *.livejournal.net *.services.livejournal.com *.google-analytics.com ssp.rambler.ru *.yandex.ru *.ssp.rambler.ru lj.stat.eagleplatform.com *.pingdom.net *.googleapis.com kraken.rambler.ru *.twitter.com *.youtube.com googleads.g.doubleclick.net static.xx.fbcdn.net *.lj.ru *.rnet.plus mc.yandex.ru ymetrica.com; report-uri https://livejournal.com/csp_reports
  • www.flipkart.com script-src 'self' 'unsafe-eval' https://*.flixcart.com https://flipkart.d1.sc.omtrdc.net https://dpm.demdex.net https://sslwidget.criteo.com https://widget.as.criteo.com 'nonce-6763504640167586685' https://c.go-mpulse.net; style-src 'self' 'unsafe-inline' https://*.flixcart.com; img-src 'self' https://*.flixcart.com https://flipkart.d1.sc.omtrdc.net https://www.facebook.com https://*.fkapi.net https://googleads.g.doubleclick.net https://www.google.com https://www.google.co.in https://www.googleadservices.com https://sp.analytics.yahoo.com https://bat.bing.com https://bat.r.msn.com data: https://*.mpstat.us https://www.payzippy.com; font-src 'self' https://*.flixcart.com data:; frame-src 'self' https://*.flipkart.com http://*.flipkart.com https://*.youtube.com https://vimeo.com https://dis.as.criteo.com https://www.payzippy.com 'nonce-6763504640167586685'; child-src 'self' https://*.flipkart.com 'nonce-6763504640167586685'; connect-src 'self' *; report-uri https://csp.flipkart.com/csp
  • upload.wikimedia.org default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; media-src data:; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&
  • www.ipko.pl default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; report-uri /ikd_img/skins/ipko/xrcv;
  • www.behance.net connect-src *;frame-src *;img-src https: data: blob: about: safari-extension: safari-resource: chrome-extension: http://*.rackcdn.com http://*.tumblr.com http://huaban.com;script-src https: 'unsafe-eval' 'unsafe-inline'; report-uri /log/csp
  • qa.com default-src *; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://ajax.googleapis.com https://widgets.getsitecontrol.com/ https://v2.zopim.com/ https://cdn.optimizely.com https://static.ads-twitter.com www.google-analytics.com www.gstatic.com https://analytics.twitter.com https://*.hotjar.com https://ssl.google-analytics.com https://static.olark.com https://ssl.p.jwpcdn.com https://assets-jpcust.jwpsrv.com https://www.youtube.com https://s.ytimg.com https://www.google.com https://*.googleapis.com https://bat.bing.com ict.infinity-tracking.net https://t.wowanalytics.co.uk use.typekit.net https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://www.gstatic.com https://connect.facebook.net https://platform.twitter.com https://s3.amazonaws.com https://services.postcodeanywhere.co.uk https://www.google.co.uk https://googleads.g.doubleclick.net; style-src 'self' data: 'unsafe-inline' https://static.olark.com *.googleapis.com use.typekit.net https://services.postcodeanywhere.co.uk https://maxcdn.bootstrapcdn.com; img-src * data:; font-src 'self' data: https://maxcdn.bootstrapcdn.com https://v2.zopim.com/ https://fonts.typekit.net fonts.gstatic.com https://use.typekit.net http://fontface.ninja https://maxcdn.bootstrapcdn.com http://themes.googleusercontent.com; child-src 'self' data: https://vars.hotjar.com https://static.olark.com http://sdn.sitecore.net https://www.youtube.com https://players.brightcove.net https://qad.eu.crossknowledge.com https://www.google.com https://accounts.google.com https://www.googletagmanager.com https://bid.g.doubleclick.net https://www.facebook.com; frame-src 'self' https://www.facebook.com; frame-ancestors 'self' https://qad.eu.crossknowledge.com; report-uri https://3chillies.report-uri.io/r/default/csp/reportOnly;
  • brokenbeats.org default-src https:; script-src data: 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:; object-src https:; img-src data: https:; media-src https:; frame-src https:; font-src https:; connect-src https:; report-uri https://brokenbeats.org/ajax/csp.php
  • www.date-newsletter.com default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data: http: https:; report-uri /cspreport;
  • dgsnd.gov.in default-src 'self'; report-uri admin/settings/seckit/csp-report
  • kinopolis-ticketshop.de default-src *; script-src 'self' script.ioam.de moviebox.kinoundco.de connect.facebook.net use.typekit.net;
  • vuforia.com default-src 'self'; script-src 'self' 'unsafe-eval' https: www.google.com s7.addthis.com tags.tiqcdn.com secure.insightexpressai.com browser-update.org m.addthis.com sadmin.brightcove.com admin.brightcove.com *.newrelic.com *.nr-data.net api.swiftype.com onqblog.disqus.com a.disquscdn.com platform.twitter.com snapdragonblog.disqus.com; object-src http://brightcove04.o.brightcove.com http://brightcove.vo.llnwd.net https://brightcove.vo.llnwd.net https://secure.brightcove.com https://sadmin.brightcove.com https://metrics.brightcove.com https://goku.brightcove.com; style-src 'self' 'unsafe-inline' https: s7.addthis.com; img-src 'self' data: https: www.qualcomm.com pt-corpmktg.qualcomm.com qualcomm.sc.omtrdc.net sb.scorecardresearch.com goku.brightcove.com metrics.brightcove.com s7.addthis.com *.nr-data.net brightcove.vo.linwd.net analytics.twitter.com t.co controller.4seeresults.com events.foreseeresults.com; frame-src 'self' https: s7.addthis.com www.youtube.com disqus.com; font-src 'self'; connect-src 'self' https: admin.brightcove.com http://brightcove.vo.llnwd.net *.nr-data.net links.services.disqus.com; report-uri /seckit/csp-report
  • kinoticket-shop.de default-src *; script-src 'self' script.ioam.de moviebox.kinoundco.de connect.facebook.net use.typekit.net;
  • dotpay.eu default-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.dotpay.pl *.dotpay.pl www.google-analytics.com *.facebook.net *.facebook.com https://*.facebook.com; options eval-script
  • tobias.lauinger.name default-src 'none'; script-src 'none'; object-src 'none'; style-src 'none'; img-src 'none'; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'; report-uri http://tobias.lauinger.name/csp.cgi?type=regular&header=x, default-src *; script-src * 'unsafe-inline'; style-src * 'unsafe-inline'; report-uri http://tobias.lauinger.name/csp.cgi?type=eval&header=x, default-src *; script-src * 'unsafe-eval'; style-src *; report-uri http://tobias.lauinger.name/csp.cgi?type=inline&header=x
Fully automated RESTful API is now available. Subscribe for your free trial today!