http
Cache-Control: privat
Connection: keep-alive
Content-Encoding: gzip
Content-Security-Policy: default-src 'self' url.com *.url.com;
script-src 'self' 'unsafe-inline', 'unsafe-eval' url.com *.url.com;
style-src 'self' 'unsafe-inline' url.com *.url.com;
font-src 'self' url.com *.url.com;
img-src: *;
data: blob:;
media-src: * data: blob:;
frame-src *;
frame-ancestors 'self' url.com;
report-uri: /page/web.php
Avec report-uri, si l'usager tente d'insréer un script, le navigateur envoie un avertissement au serveur
POST
source = cfp, type: js
content-type: application/csp-report
BODY:
{"csp-report":{"blocked-uri":"http://url-bad.com:port","document-uri":"https://current-page-url.com/","original-policy":"{what's inside Content-Security-Policy Header}","referrer":"","violated-directive":"script-src http://siteweb.com 'unsafe-inline' 'unsafe-eval' ...."}}