Integrity-Policy-Report-Only header

The HTTPIntegrity-Policy-Report-Only response header allows website administrators to report on resources that the user agent loads that would violateSubresource Integrity guarantees if the integrity policy was enforced (using theIntegrity-Policy header).

Reports may be generated for requests on specifiedrequest destinations that omit integrity metadata, or that are made inno-cors mode.For reports to be sent to a reporting endpoint, theIntegrity-Policy-Report-Only header must specify a valid reporting endpoint name that matches an endpoint declared using theReporting-Endpoints header.Reports are generated using theReporting API, and may also be observed in the page for which the integrity policy is being reported, using aReportingObserver.The format of the report body is given by theIntegrityViolationReportBody dictionary (a JSON-serialized form of this body is sent in POSTs to reporting server endpoints).

The header allows developers to testintegrity policies and fix any content issues before eventually deploying anIntegrity-Policy header to enforce the policy.

Header type	Response header

Syntax

http

Integrity-Policy-Report-Only: blocked-destinations=(<destination>),sources=(<source>),endpoints=(<endpoint>)

The header values are defined as structured field dictionaries with the following keys:

blocked-destinations

A list ofrequest destinations that must include valid integrity metadata.Allowed values are:

script: Script resources.
style: Stylesheet resources.

sourcesOptional

A list of integrity sources that must include integrity metadata.Allowed values are:

inline

The integrity metadata source is inline to the content, such as theintegrity attribute.This is the default.

As this is the default and only value, omittingsources is equivalent to specifyingsources=(inline).

endpointsOptional

A list ofreporting endpoint names that indicate where reports will be sent.The reporting endpoints must be defined in aReporting-Endpoints header.

Examples

Reporting when scripts lack integrity metadata

This example shows a document that reports when any<script> (orHTMLScriptElement) does not specify anintegrity attribute, or when a script resource is requested inno-cors mode.

Note that theintegrity-endpoint used inIntegrity-Policy-Report-Only is defined in theReporting-Endpoints header.

http

Reporting-Endpoints: integrity-endpoint=https://example.com/integrity, backup-integrity-endpoint=https://report-provider.example/integrityIntegrity-Policy-Report-Only: blocked-destinations=(script), endpoints=(integrity-endpoint, backup-integrity-endpoint)

Thereport payload might look like this.

json

{  "type": "integrity-violation",  "url": "https://example.com",  "body": {    "documentURL": "https://example.com",    "blockedURL": "https://example.com/main.js",    "destination": "script",    "reportOnly": false  }}