Directive: report to

Overview

The report-to directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.

Warning

In CSP Level 3, the report-uri directive is deprecated in favor or report-to which has a different syntax. Not all browsers support report-to yet, so we recommend using BOTH until browser support for report-to improves.

Required reading:

• Can I use report-to?
• Reporting-Endpoints
• MDN Web Docs reference

Usage examples

Important

MUST be used alongside the Reporting-Endpoints header.

Reporting-Endpoints: csp-endpoint="https://example.com/csp-reports"

report-to csp-endpoint

Fallbacks

✅ report-to will fallback to report-uri if it is undefined.

• report-uri
  • report-to

Possible errors

This evaluates both the Reporting-Endpoints header alongside the report-to directive.

• CSP-0501 — [ERROR] directive report-to may only have a single value
• CSP-0502 — [ERROR] directive %s refers to undefined reporting endpoint %s
• CSP-0510 — [ERROR] token-pair %s does not contain an = character
• CSP-0511 — [ERROR] %s appears to be missing a comma between token-pairs
• CSP-0512 — [ERROR] token-pair %s is missing either a key or value
• CSP-0513 — [ERROR] token-pair %s is missing a key
• CSP-0514 — [ERROR] token-pair %s has a key with invalid characters
• CSP-0515 — [ERROR] token-pair %s is missing a URL
• CSP-0516 — [ERROR] token-pair %s URL is not enclosed in double quotes
• CSP-0517 — [ERROR] token-pair %s URL is not a valid URL

For developers

ABNF (CSP3)

directive-name  = "report-to"
directive-value = token

See RFC 9110 § 5.6.2

Type

• token in RFC 9110 § 5.6.2

References

• CSP Level 3 reference
• Can I use report-to?
• MDN Web Docs reference
• Reporting-Endpoints