SecurityPolicyViolationEvent

This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The SecurityPolicyViolationEvent interface inherits from Event, and represents the event object of an event sent on a document or worker when its content security policy is violated.

Constructor

SecurityPolicyViolationEvent()
Creates a new SecurityPolicyViolationEvent object instance.

Properties

SecurityPolicyViolationEvent.blockedURIRead only
A USVString representing the URI of the resource that was blocked because it violates a policy.
SecurityPolicyViolationEvent.columnNumberRead only
The column number in the document or worker at which the violation occurred.
SecurityPolicyViolationEvent.dispositionRead only
Indicates how the violated policy is configured to be treated by the user agent. This will be "enforce" or "report".
SecurityPolicyViolationEvent.documentURIRead only
A USVString representing the URI of the document or worker in which the violation was found.
SecurityPolicyViolationEvent.effectiveDirectiveRead only
A DOMString representing the directive whose enforcement uncovered the violation.
SecurityPolicyViolationEvent.lineNumberRead only
The line number in the document or worker at which the violation occurred.
SecurityPolicyViolationEvent.originalPolicyRead only
A DOMString containing the policy whose enforcement uncovered the violation.
SecurityPolicyViolationEvent.referrerRead only
A USVString representing the referrer of the resources whose policy was violated. This will be a URL or null.
SecurityPolicyViolationEvent.sampleRead only
A DOMString representing a sample of the resource that caused the violation, usually the first 40 characters. This will only be populated if the resource is an inline script, event handler, or style — external resources causing a violation will not generate a sample.
SecurityPolicyViolationEvent.sourceFileRead only
A USVString representing the URI of the document or worker in which the violation was found.
SecurityPolicyViolationEvent.statusCodeRead only
A number representing the HTTP status code of the document or worker in which the violation occurred.
SecurityPolicyViolationEvent.violatedDirectiveRead only
A DOMString representing the directive whose enforcement uncovered the violation.

Examples

document.addEventListener("securitypolicyviolation", (e) => {
  console.log(e.blockedURI);    
  console.log(e.violatedDirective);    
  console.log(e.originalPolicy);
});

Specifications

Specification Status Comment
Content Security Policy Level 3
The definition of 'SecurityPolicyViolationEvent' in that specification.
Working Draft Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support Yes Yes591 No Yes Yes
SecurityPolicyViolationEvent support in workers56 Yes591 No43 Yes
SecurityPolicyViolationEvent() constructor Yes Yes591 No Yes Yes
blockedURI Yes15591 No Yes Yes
columnNumber Yes15591 No Yes Yes
disposition Yes Yes591 No Yes Yes
documentURI Yes15591 No Yes Yes
effectiveDirective Yes15591 No Yes Yes
lineNumber Yes15591 No Yes Yes
originalPolicy Yes15591 No Yes Yes
referrer Yes15591 No Yes Yes
sample59 Yes591 No46 Yes
sourceFile Yes15591 No Yes Yes
statusCode Yes15591 No Yes Yes
violatedDirective Yes15591 No Yes Yes
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support Yes Yes Yes591 Yes Yes Yes
SecurityPolicyViolationEvent support in workers5656 Yes59143 Yes6.0
SecurityPolicyViolationEvent() constructor Yes Yes Yes591 Yes Yes Yes
blockedURI Yes Yes Yes591 Yes Yes Yes
columnNumber Yes Yes Yes591 Yes Yes Yes
disposition Yes Yes Yes591 Yes Yes Yes
documentURI Yes Yes Yes591 Yes Yes Yes
effectiveDirective Yes Yes Yes591 Yes Yes Yes
lineNumber Yes Yes Yes591 Yes Yes Yes
originalPolicy Yes Yes Yes591 Yes Yes Yes
referrer Yes Yes Yes591 Yes Yes Yes
sample5959 Yes59146 Yes7.0
sourceFile Yes Yes Yes591 Yes Yes Yes
statusCode Yes Yes Yes591 Yes Yes Yes
violatedDirective Yes Yes Yes591 Yes Yes Yes

1. From version 59: this feature is behind the security.csp.enable_violation_events preference (needs to be set to true). To change preferences in Firefox, visit about:config.

See also

 

Document Tags and Contributors

Contributors to this page: fscholz, chrisdavidmills, tocretpa, mattwojo, david_ross, jpmedley
Last updated by: fscholz,