Most popular variants of the header value (we only show this when there's just a bunch of variants):

Legacy and deprecated variant of the Content-Security-Policy-Report-Only header used by WebKit browsers in the initial period.

Reference...

We have seen 31 websites setting the X-WebKit-CSP-Report-Only HTTP header and 23 unique values of this header.

  • a-ads.com default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https://* about: javascript:; img-src chrome-extension:
  • ftse.com policy-uri /http://www.ftse.com/* https://www.ftse.com/*
  • assets.secure.checkout.visa.com default-src 'self' https://*.v.me https://*.visa.com;script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.visa.com https://*.v.me;img-src 'self' https://*.v.me https://*.visa.com https://*.unica.com https://ad.doubleclick.net;style-src 'self' 'unsafe-inline' https://*.visa.com;object-src https://*.v.me https://*.visa.com data:;report-uri /logging/logCSPReport;
  • www.flipkart.com script-src 'self' 'unsafe-eval' https://*.flixcart.com https://flipkart.d1.sc.omtrdc.net https://dpm.demdex.net https://sslwidget.criteo.com https://widget.as.criteo.com 'nonce-6763504640167586685' https://c.go-mpulse.net; style-src 'self' 'unsafe-inline' https://*.flixcart.com; img-src 'self' https://*.flixcart.com https://flipkart.d1.sc.omtrdc.net https://www.facebook.com https://*.fkapi.net https://googleads.g.doubleclick.net https://www.google.com https://www.google.co.in https://www.googleadservices.com https://sp.analytics.yahoo.com https://bat.bing.com https://bat.r.msn.com data: https://*.mpstat.us https://www.payzippy.com; font-src 'self' https://*.flixcart.com data:; frame-src 'self' https://*.flipkart.com http://*.flipkart.com https://*.youtube.com https://vimeo.com https://dis.as.criteo.com https://www.payzippy.com 'nonce-6763504640167586685'; child-src 'self' https://*.flipkart.com 'nonce-6763504640167586685'; connect-src 'self' *; report-uri https://csp.flipkart.com/csp
  • upload.wikimedia.org default-src 'none'; style-src 'unsafe-inline' data:; font-src data:; img-src data: https://upload.wikimedia.org/favicon.ico; media-src data:; sandbox; report-uri https://commons.wikimedia.org/w/api.php?reportonly=1&source=image&action=cspreport&format=json&
  • connect.mail.ru default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri http://log.foto.mail.ru/csperr/; img-src https://* data: ; frame-src https://* about: javascript:
  • stat.my.mail.ru default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri http://log.foto.mail.ru/csperr/; img-src https://* data: ; frame-src https://* about: javascript:
  • my.mail.ru default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri http://log.foto.mail.ru/csperr/; img-src https://* data: ; frame-src https://* about: javascript:
  • brokenbeats.org default-src https:; script-src data: 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:; object-src https:; img-src data: https:; media-src https:; frame-src https:; font-src https:; connect-src https:; report-uri https://brokenbeats.org/ajax/csp.php
  • www.date-newsletter.com default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data: http: https:; report-uri /cspreport;
  • dgsnd.gov.in default-src 'self'; report-uri admin/settings/seckit/csp-report
  • vuforia.com default-src 'self'; script-src 'self' 'unsafe-eval' https: www.google.com s7.addthis.com tags.tiqcdn.com secure.insightexpressai.com browser-update.org m.addthis.com sadmin.brightcove.com admin.brightcove.com *.newrelic.com *.nr-data.net api.swiftype.com onqblog.disqus.com a.disquscdn.com platform.twitter.com snapdragonblog.disqus.com; object-src http://brightcove04.o.brightcove.com http://brightcove.vo.llnwd.net https://brightcove.vo.llnwd.net https://secure.brightcove.com https://sadmin.brightcove.com https://metrics.brightcove.com https://goku.brightcove.com; style-src 'self' 'unsafe-inline' https: s7.addthis.com; img-src 'self' data: https: www.qualcomm.com pt-corpmktg.qualcomm.com qualcomm.sc.omtrdc.net sb.scorecardresearch.com goku.brightcove.com metrics.brightcove.com s7.addthis.com *.nr-data.net brightcove.vo.linwd.net analytics.twitter.com t.co controller.4seeresults.com events.foreseeresults.com; frame-src 'self' https: s7.addthis.com www.youtube.com disqus.com; font-src 'self'; connect-src 'self' https: admin.brightcove.com http://brightcove.vo.llnwd.net *.nr-data.net links.services.disqus.com; report-uri /seckit/csp-report
  • tobias.lauinger.name default-src 'none'; script-src 'none'; object-src 'none'; style-src 'none'; img-src 'none'; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'; report-uri http://tobias.lauinger.name/csp.cgi?type=regular&header=webkit, default-src *; script-src * 'unsafe-inline'; style-src * 'unsafe-inline'; report-uri http://tobias.lauinger.name/csp.cgi?type=eval&header=webkit, default-src *; script-src * 'unsafe-eval'; style-src *; report-uri http://tobias.lauinger.name/csp.cgi?type=inline&header=webkit
  • espnfc.espn.uol.com.br default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-src https://* about: javascript:; img-src chrome-extension:
  • sheffieldfinancial.com default-src https://* 'self' chrome-extension:; connect-src https://* 'self' chrome-extension:; font-src https://* 'self' chrome-extension:; frame-src https://* http://*.sheffieldfinancial.com chrome-extension:; img-src http://*.sheffieldfinancial.com 'self' chrome-extension: data:; media-src https://* 'self' chrome-extension:; object-src https://* 'self' chrome-extension:; script-src https://* 'self' chrome-extension:; style-src https://* 'self' chrome-extension:;
  • veracode.com default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.googleapis.com *.marketo.net *.google-analytics.com use.typekit.net *.liveperson.net *.google.com *.linkedin.com; object-src 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com cloud.typography.com use.typekit.net www.veracode.com; img-src 'self' data: p.typekit.net *.mktoresp.com info.veracode.com www.linkedin.com; media-src 'self' www.youtube.com; frame-src 'self' www.youtube.com *.google.com www.facebook.com platform.twitter.com www.hirebridge.com; font-src 'self' data: use.typekit.com themes.googleusercontent.com; connect-src 'self'; report-uri /admin/config/system/seckit/csp-report
  • urnadecristal.gov.co default-src 'self'; report-uri /admin/config/system/seckit/csp-report
  • webbilling.com default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; report-uri //joinpage.webbilling.com/logservice.php
  • neurs.net default-src 'self';script-src 'self' 'eval-script' https://maps.googleapis.com https://maps.gstatic.com https://google-maps-utility-library-v3.googlecode.com https://ajax.googleapis.com https://cdnjs.cloudflare.com https://mts1.googleapis.com https://fonts.googleapis.com https://mt1.googleapis.com https://maps.gstatic.com/mapfiles https://googleapis.com https://mts0.googleapis.com;img-src 'self' data: https://dpbob3sbronxq.cloudfront.net https://maps.gstatic.com https://mts0.googleapis.com https://mts1.googleapis.com https://maps.googleapis.com https://csi.gstatic.com http://mt1.googleapis.com https://images.neurs.com https://img.createsend1.com https://www.google.com http://seedcamp.com http://sourcedigit.com https://dks738qwkwpt8.cloudfront.net;frame-src 'self' https://player.vimeo.com;font-src 'self' https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com;style-src 'self' https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com;report-uri https://www.neurs.net/api/csp
  • cdmatech.com default-src 'self'; script-src 'self' 'unsafe-eval' https: www.google.com s7.addthis.com tags.tiqcdn.com secure.insightexpressai.com browser-update.org m.addthis.com sadmin.brightcove.com admin.brightcove.com *.newrelic.com *.nr-data.net api.swiftype.com onqblog.disqus.com a.disquscdn.com platform.twitter.com snapdragonblog.disqus.com; object-src http://brightcove04.o.brightcove.com http://brightcove.vo.llnwd.net https://brightcove.vo.llnwd.net https://secure.brightcove.com https://sadmin.brightcove.com https://metrics.brightcove.com https://goku.brightcove.com; style-src 'self' 'unsafe-inline' https: s7.addthis.com; img-src 'self' data: https: www.qualcomm.com pt-corpmktg.qualcomm.com qualcomm.sc.omtrdc.net sb.scorecardresearch.com goku.brightcove.com metrics.brightcove.com s7.addthis.com *.nr-data.net brightcove.vo.linwd.net analytics.twitter.com t.co controller.4seeresults.com events.foreseeresults.com; frame-src 'self' https: s7.addthis.com www.youtube.com disqus.com; font-src 'self'; connect-src 'self' https: admin.brightcove.com http://brightcove.vo.llnwd.net *.nr-data.net links.services.disqus.com; report-uri /seckit/csp-report
  • d30y4n1t170mxu.cloudfront.net default-src 'self' https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: s3.amazonaws.com *.stripe.com *.cloudflare.com *.cloudfront.net *.maxmind.com *.bootsrapcdn.com *.facebook.com *.facebook.net *.polyfill.io *.loggly.com *.twitter.com *.google-analytics.com *.googleadservices.com *.mxpnl.com *.chatlio.com *.googleapis.com *.indeed.com *.herokuapp.com *.mailgun.com *.wootric.com *.cameratag.com *.tlscdn.com *.youtube.com; style-src 'self' 'unsafe-inline' https: *.chatlio.com *.googleapis.com *.typography.com *.cloudfront.net *.cloudflare.com *.facebook.com *.indeed.com; img-src 'self' data: https: *.cloudfront.net *.doubleclick.net *.filepicker.com *.google.com *.google-analytics.com *.zendesk.com *.workpop.com; connect-src 'self' ws: wss https: *.kadira.io *.chatlio.com *.mixpanel.com *.loggly.com *.maxmind.com *.filepicker.io *.wootric.com wss://www.workpop.com; font-src 'self' data: https: *.gstatic.com *.bootstrapcdn.com *.chatlio.com *.cloudfront.net *.cloudflare.com; child-src 'self' file https: *.zendesk.com *.facebook.com *.filepicker.io *.stripe.com *.docusign.net *.indeed.com *.youtube.com *.tlscdn.com; media-src 'self' https: *.chatlio.com *.cameratag.com *.cloudfront.net; report-uri https://workpopjobs.report-uri.io/r/default/csp/reportOnly; object-src 'self'
  • qualcomm.co.in default-src 'self'; script-src 'self' 'unsafe-eval' https: www.google.com s7.addthis.com tags.tiqcdn.com secure.insightexpressai.com browser-update.org m.addthis.com sadmin.brightcove.com admin.brightcove.com *.newrelic.com *.nr-data.net api.swiftype.com onqblog.disqus.com a.disquscdn.com platform.twitter.com snapdragonblog.disqus.com http://gateway.answerscloud.com http://s.cr-nielsen.com; object-src brightcove.vo.llnwd.net t.hypers.com.cn; style-src 'self' 'unsafe-inline' https: s7.addthis.com; img-src 'self' data: https: www.qualcomm.com pt-corpmktg.qualcomm.com qualcomm.sc.omtrdc.net sb.scorecardresearch.com goku.brightcove.com metrics.brightcove.com s7.addthis.com *.nr-data.net brightcove.vo.linwd.net analytics.twitter.com t.co controller.4seeresults.com events.foreseeresults.com; frame-src 'self' https: s7.addthis.com www.youtube.com disqus.com http://gateway.answerscloud.com t.hypers.com.cn; font-src 'self'; connect-src 'self' https: admin.brightcove.com brightcove.vo.llnwd.net *.nr-data.net links.services.disqus.com; report-uri /user
  • beta.workpop.com default-src 'self' https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: s3.amazonaws.com *.stripe.com *.cloudflare.com *.cloudfront.net *.maxmind.com *.bootsrapcdn.com *.facebook.com *.facebook.net *.polyfill.io *.loggly.com *.twitter.com *.google-analytics.com *.googleadservices.com *.mxpnl.com *.chatlio.com *.googleapis.com *.indeed.com *.herokuapp.com *.mailgun.com *.wootric.com *.cameratag.com *.tlscdn.com *.youtube.com; style-src 'self' 'unsafe-inline' https: *.chatlio.com *.googleapis.com *.typography.com *.cloudfront.net *.cloudflare.com *.facebook.com *.indeed.com; img-src 'self' data: https: *.cloudfront.net *.doubleclick.net *.filepicker.com *.google.com *.google-analytics.com *.zendesk.com *.workpop.com; connect-src 'self' ws: wss https: *.kadira.io *.chatlio.com *.mixpanel.com *.loggly.com *.maxmind.com *.filepicker.io *.wootric.com wss://www.workpop.com; font-src 'self' data: https: *.gstatic.com *.bootstrapcdn.com *.chatlio.com *.cloudfront.net *.cloudflare.com; child-src 'self' file https: *.zendesk.com *.facebook.com *.filepicker.io *.stripe.com *.docusign.net *.indeed.com *.youtube.com *.tlscdn.com; media-src 'self' https: *.chatlio.com *.cameratag.com *.cloudfront.net; report-uri https://workpopjobs.report-uri.io/r/default/csp/reportOnly; object-src 'self'
  • flipkart.com default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.flixcart.com https://flipkart.d1.sc.omtrdc.net https://dpm.demdex.net https://sslwidget.criteo.com https://widget.as.criteo.com 'nonce-8321460613677854015'; style-src 'self' 'unsafe-inline' https://*.flixcart.com; img-src 'self' https://*.flixcart.com https://flipkart.d1.sc.omtrdc.net https://www.facebook.com https://*.fkapi.net https://googleads.g.doubleclick.net https://www.google.com https://www.google.co.in https://www.googleadservices.com data:; font-src 'self' https://*.flixcart.com data:; frame-src 'self' https://*.flipkart.com http://*.flipkart.com https://*.youtube.com https://vimeo.com https://dis.as.criteo.com; child-src 'self' https://*.flipkart.com; connect-src 'self' *; report-uri https://csp.flipkart.com/csp
  • qualcomm.com default-src 'self' blob:; script-src 'self' 'unsafe-eval' blob: https: www.google.com tags.tiqcdn.com secure.insightexpressai.com browser-update.org *.newrelic.com *.nr-data.net api.swiftype.com onqblog.disqus.com a.disquscdn.com platform.twitter.com snapdragonblog.disqus.com 3642644.fls.doubleclick.net 'sha256-/3jsvuZODfJI1Eg99StI7HtPfGc1mT2ElQZ8nHDbQbM='; object-src https://metrics.brightcove.com; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https: www.qualcomm.com pt-corpmktg.qualcomm.com qualcomm.sc.omtrdc.net sb.scorecardresearch.com metrics.brightcove.com *.nr-data.net analytics.twitter.com t.co controller.4seeresults.com events.foreseeresults.com insight.adsrvr.org; media-src 'self' blob: https: secure.brightcove.com; frame-src 'self' https: www.youtube.com disqus.com 3642644.fls.doubleclick.net; font-src 'self' data: https: vjs.zencdn.net; connect-src 'self' https: *.nr-data.net links.services.disqus.com; report-uri /admin/config/system/seckit/csp-report
Fully automated RESTful API is now available. Subscribe for your free trial today!