Content-Security-Policy-Report-Only Cannot Be Declared Without report-uri Directive
Description
The Content-Security-Policy-Report-Only header has been configured without a report-uri or report-to directive. This misconfiguration prevents the browser from sending violation reports, which defeats the primary purpose of using the report-only mode. Report-only mode is designed to test CSP policies in production without blocking content, while collecting violation data to identify potential issues before enforcing the policy.
Remediation
Add either a report-uri directive (deprecated but widely supported) or a report-to directive (modern standard) to your Content-Security-Policy-Report-Only header to enable violation reporting.
Option 1 - Using report-uri (legacy, broad compatibility):
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-violation-report-endpointOption 2 - Using report-to (modern standard):
Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"/csp-violation-report-endpoint"}]}
Content-Security-Policy-Report-Only: default-src 'self'; report-to csp-endpointOption 3 - Using both for maximum compatibility:Report-To: {"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"/csp-violation-report-endpoint"}]}
Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-violation-report-endpoint; report-to csp-endpointEnsure the reporting endpoint is configured to receive and log POST requests containing JSON-formatted violation reports. Monitor these reports to identify necessary policy adjustments before enforcing the CSP.