SecurityPolicyViolationEvent

Baseline Widely available *

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨October 2018⁩.

* Some parts of this feature may have varying levels of support.

Note: This feature is available inWeb Workers.

TheSecurityPolicyViolationEvent interface inherits fromEvent, and represents the event object of asecuritypolicyviolation event sent on anElement,Document, orworker when itsContent Security Policy (CSP) is violated.

Constructor

SecurityPolicyViolationEvent(): Creates a newSecurityPolicyViolationEvent object instance.

Instance properties

SecurityPolicyViolationEvent.blockedURIRead only: A string representing the URI of the resource that was blocked because it violates a policy.
SecurityPolicyViolationEvent.columnNumberRead only: The column number in the document or worker at which the violation occurred.
SecurityPolicyViolationEvent.dispositionRead only: A string indicating whether the user agent is configured to enforce or just report the policy violation.
SecurityPolicyViolationEvent.documentURIRead only: A string representing the URI of the document or worker in which the violation occurred.
SecurityPolicyViolationEvent.effectiveDirectiveRead only: A string representing the directive that was violated.
SecurityPolicyViolationEvent.lineNumberRead only: The line number in the document or worker at which the violation occurred.
SecurityPolicyViolationEvent.originalPolicyRead only: A string containing the policy whose enforcement caused the violation.
SecurityPolicyViolationEvent.referrerRead only: A string representing the URL for the referrer of the resources whose policy was violated, ornull.
SecurityPolicyViolationEvent.sampleRead only: A string representing a sample of the resource that caused the violation, usually the first 40 characters. This will only be populated if the resource is an inline script, event handler, or style — external resources causing a violation will not generate a sample.
SecurityPolicyViolationEvent.sourceFileRead only: If the violation occurred as a result of a script, this will be the URL of the script; otherwise, it will benull.BothcolumnNumber andlineNumber should have non-null values if this property is notnull.
SecurityPolicyViolationEvent.statusCodeRead only: A number representing the HTTP status code of the document or worker in which the violation occurred.
SecurityPolicyViolationEvent.violatedDirectiveRead only: A string representing the directive that was violated.This is a historical alias ofeffectiveDirective.

Examples

document.addEventListener("securitypolicyviolation", (e) => {  console.log(e.blockedURI);  console.log(e.violatedDirective);  console.log(e.originalPolicy);});