Table of Contents

Class CSPViolationReportBody

Namespace
CSharpToJavaScript.APIs.JS
Assembly
CSharpToJavaScript.dll

The CSPViolationReportBody interface is an extension of the Reporting API that represents the body of a Content Security Policy (CSP) violation report.

[Value("CSPViolationReportBody")]
public class CSPViolationReportBody : ReportBody
Inheritance
CSPViolationReportBody
Inherited Members

Remarks

CSP violations are thrown when the webpage attempts to load a resource that violates the policy set by the Content-Security-Policy HTTP header.

CSP violation reports are returned in the reports parameter of ReportingObserver callbacks that have a type of "csp-violation".
The body property of those reports is an instance of CSPViolationReportBody.

CSP violation reports may also be sent as JSON objects to the endpoint specified in the report-to policy directive of the Content-Security-Policy header.
These reports similarly have a type of "csp-violation", and a body property containing a serialization of an instance of this interface.

NOTE

CSP violation reports sent by the Reporting API, when an endpoint is specified using the CSP report-to directive, are similar (but not identical) to the "CSP report" JSON objects sent when endpoints are specified using the report-uri directive.
The Reporting API and report-to directive are intended to replace the older report format and the report-uri directive.

-ReportBody
-ReportingObserver
-Content-Security-Policy
-SecurityPolicyViolationEvent

See also on MDN

Constructors

CSPViolationReportBody() 

public CSPViolationReportBody()

Properties

BlockedURL

The blockedURL read-only property of the CSPViolationReportBody interface is a string value that represents the resource that was blocked because it violates a Content Security Policy (CSP).

[Value("blockedURL")]
public string? BlockedURL { get; }

Property Value

string

An string containing a value or URL that represents the resource that violated the policy.If the value is not the URL of a resource, it must be one of the following strings:

Remarks

-BlockedURI

See also on MDN

ColumnNumber

The columnNumber read-only property of the CSPViolationReportBody interface indicates the column number in the source file that triggered the Content Security Policy (CSP) violation.

[Value("columnNumber")]
public ulong? ColumnNumber { get; }

Property Value

ulong?

An integer containing the column number that triggered the violation, or null.

Remarks

Note that the browser extracts the value from the global object of the file that triggered the violation.
If the resource that triggers the CSP violation is not loaded, the value will be null.
See SourceFile for more information.

This property is most useful alongside SourceFile and LineNumber, as it provides the location of the column in that file and line that resulted in a violation.

-ColumnNumber

See also on MDN

Disposition

The disposition read-only property of the CSPViolationReportBody interface indicates whether the user agent is configured to enforce Content Security Policy (CSP) violations or only report them.

[Value("disposition")]
public SecurityPolicyViolationEventDisposition Disposition { get; }

Property Value

SecurityPolicyViolationEventDisposition

Possible values are:

Remarks

-Disposition

See also on MDN

DocumentURL

The documentURL read-only property of the CSPViolationReportBody interface is a string that represents the URL of the document or worker that violated the Content Security Policy (CSP).

[Value("documentURL")]
public string DocumentURL { get; }

Property Value

string

A string containing the URL of the document or worker that violated the CSP.

Remarks

-DocumentURI

See also on MDN

EffectiveDirective

The effectiveDirective read-only property of the CSPViolationReportBody interface is a string that represents the effective Content Security Policy (CSP) directive that was violated.

[Value("effectiveDirective")]
public string EffectiveDirective { get; }

Property Value

string

A string representing the effective Content-Security-Policy directive that was violated.

Remarks

Note that this contains the specific directive that was effectively violated, such as script-src-elem for violations related to script elements, and not the policy that was specified, which may have been the (more general) default-src.

-EffectiveDirective

See also on MDN

LineNumber

The lineNumber read-only property of the CSPViolationReportBody interface indicates the line number in the source file that triggered the Content Security Policy (CSP) violation.

[Value("lineNumber")]
public ulong? LineNumber { get; }

Property Value

ulong?

An integer containing the line number that triggered the violation, or null.

Remarks

Note that the browser extracts the value from the global object of the file that triggered the violation.
If the resource that triggers the CSP violation is not loaded, the value will be null.
See SourceFile for more information.

This property is most useful alongside SourceFile and ColumnNumber, as it provides the location of the line in that file and the column that resulted in a violation.

-LineNumber

See also on MDN

OriginalPolicy

The originalPolicy read-only property of the CSPViolationReportBody interface is a string that represents the Content Security Policy (CSP) whose enforcement uncovered the violation.

[Value("originalPolicy")]
public string OriginalPolicy { get; }

Property Value

string

A string representing the policy whose enforcement uncovered the violation.

Remarks

This is the string in the Content-Security-Policy HTTP response header that contains the list of directives and their values that make the CSP policy.
Note that differs from the EffectiveDirective, which is the specific directive that is effectively being violated (and which might not be explicitly listed in the policy if default-src is used).

-OriginalPolicy

See also on MDN

Referrer

The referrer read-only property of the CSPViolationReportBody interface is a string that represents the URL of the referring page of the resource who's Content Security Policy (CSP) was violated.

[Value("referrer")]
public string? Referrer { get; }

Property Value

string

A string representing the URL for the referrer of the page with the CSP violation, or null.Note that if the referrer is an HTTP(S) URL then any username, password or fragment is removed.
If the URL scheme is not http: or https: then just the scheme is returned.

Remarks

The referrer is the page that caused the page with the CSP violation to be loaded. For example, if we followed a link to a page with a CSP violation, the referrer is the page that we navigated from.

-Referrer
-Referer

See also on MDN

Sample

The sample read-only property of the CSPViolationReportBody interface is a string that contains a part of the resource that violated the Content Security Policy (CSP).

[Value("sample")]
public string? Sample { get; }

Property Value

string

A string containing a sample of the inline resource that violated the CSP, usually the first 40 characters, or the empty string.

Remarks

This sample is usually the first 40 characters of the inline script, event handler, or style that violated a CSP restriction.
If not populated it is the empty string "".

Note that this is only populated when attempting to load inline scripts, event handlers, or styles that violate CSP script-src* and style-src* rules — external resources that violate the CSP will not generate a sample.
In addition, a sample is only included if the Content-Security-Policy directive that was violated also contains the 'report-sample' keyword.

NOTE

Violation reports should be considered attacker-controlled data.
The content of this field in particular should be sanitized before storing or rendering.

-Sample

See also on MDN

SourceFile

The sourceFile read-only property of the CSPViolationReportBody interface indicates the URL of the source file that violated the Content Security Policy (CSP).

[Value("sourceFile")]
public string? SourceFile { get; }

Property Value

string

A string containing the URL of the file that triggered the violation, or null.

Remarks

For a violation triggered by the use of an inline script, sourceFile is the URL of the current document.
Similarly, if a document successfully loads a script that then violates the document CSP, the sourceFile is the URL of the script.

Note however that if a document with a CSP that blocks external resources attempts to load an external resource, sourceFile will be null.
This is because the browser extracts the value from the global object of the file that triggered the violation.
Because of the CSP restriction the external resource is never loaded, and therefore has no corresponding global object.

This property is most useful alongside LineNumber and ColumnNumber, which provide the location within the file that resulted in a violation.

-SourceFile

See also on MDN

StatusCode

The statusCode read-only property of the CSPViolationReportBody interface is a number representing the HTTP status code of the response to the request that triggered a Content Security Policy (CSP) violation (when loading a window or worker).

[Value("statusCode")]
public ushort StatusCode { get; }

Property Value

ushort

A number representing the HTTP status code of the response to the request that triggered the CSP violation.

Remarks

-StatusCode

See also on MDN

Methods

ToJSON()

IMPORTANT
Deprecated
The toJSON() method of the CSPViolationReportBody interface is a serializer, which returns a JSON representation of the CSPViolationReportBody object. 
[Value("toJSON")]
public Object ToJSON()

Returns

Object

A JSON object that is the serialization of the CSPViolationReportBody object.

Remarks

The existence of a toJSON() method allows CSPViolationReportBody objects to be converted to a string using the JSONStringify method.

This is used by the reporting API when creating a serialized version of a violation report to send to a reporting endpoint.

See also on MDN

Edit this page