Content-Security-Policy-Report-Only Cannot Be Declared Between META Tags
Description
The Content-Security-Policy-Report-Only header has been incorrectly implemented using an HTML META tag. According to the CSP specification, the Content-Security-Policy-Report-Only directive can only be delivered via HTTP response headers and cannot be declared within META tags in the HTML document. This misconfiguration means the report-only policy will not be enforced by browsers, preventing proper testing of CSP rules before full deployment.
Remediation
Remove the Content-Security-Policy-Report-Only directive from all META tags and implement it exclusively as an HTTP response header. Configure your web server or application to send the header in the HTTP response:
Example HTTP Header:
Content-Security-Policy-Report-Only: default-src 'self'; script-src 'self' https://trusted.cdn.com; report-uri /csp-violation-report
Implementation Steps:
1. Identify and remove any META tags containing Content-Security-Policy-Report-Only from your HTML documents
2. Configure your web server (Apache, Nginx, IIS) or application framework to send the header in HTTP responses
3. Set up a report-uri or report-to endpoint to collect violation reports
4. Monitor the reports to identify any violations before enforcing the policy
5. Once testing is complete, transition to the enforcing Content-Security-Policy header
Note: If you need to declare CSP via META tags for other purposes, only the enforcing Content-Security-Policy directive is supported in META tags, not the report-only variant.