We're looking for a user researcher to understand the needs of developers and designers. Is this you or someone you know? Check out the post: https://mzl.la/2IGzdXS

 

The Report-To HTTP response header field instructs the user agent to store reporting endpoints for an origin. 

Content-Security-Policy: ...; report-to groupname

 

The directive has no effect in and of itself, but only gains meaning in combination with other directives.

CSP version 1
Directive type Reporting directive
This directive is not supported in the <meta> element.

Syntax

Content-Security-Policy: report-to <json-field-value>;

Examples

See Content-Security-Policy-Report-Only for more information and examples.

Report-To: { "group": "csp-endpoint",
             "max-age": 10886400,
             "endpoints": [
               { "url": "https://example.com/csp-reports" }
             ] },
           { "group": "hpkp-endpoint",
             "max-age": 10886400,
             "endpoints": [
               { "url": "https://example.com/hpkp-reports" }
             ] }
Content-Security-Policy: ...; report-to csp-endpoint

 

Report-To: { "group": "endpoint-1",
             "max-age": 10886400,
             "endpoints": [
               { "url": "https://example.com/reports" },
               { "url": "https://backup.com/reports" }
             ] } 

Content-Security-Policy: ...; report-to endpoint-1

 

Browser compatibility

The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support No No No No No No
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support No No No No No No No

See also

 

Document Tags and Contributors

Tags: 
Contributors to this page: bwalding, venkat_reddy
Last updated by: bwalding,