SecurityPolicyViolationEvent
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.
Note: This feature is available in Web Workers.
The SecurityPolicyViolationEvent
interface inherits from Event
, and represents the event object of a securitypolicyviolation
event sent on an Element
, Document
, or worker when its Content Security Policy (CSP) is violated.
Constructor
SecurityPolicyViolationEvent()
-
Creates a new
SecurityPolicyViolationEvent
object instance.
Instance properties
SecurityPolicyViolationEvent.blockedURI
Read only-
A string representing the URI of the resource that was blocked because it violates a policy.
SecurityPolicyViolationEvent.columnNumber
Read only-
The column number in the document or worker at which the violation occurred.
SecurityPolicyViolationEvent.disposition
Read only-
A string indicating whether the user agent is configured to enforce or just report the policy violation.
SecurityPolicyViolationEvent.documentURI
Read only-
A string representing the URI of the document or worker in which the violation occurred.
SecurityPolicyViolationEvent.effectiveDirective
Read only-
A string representing the directive that was violated.
SecurityPolicyViolationEvent.lineNumber
Read only-
The line number in the document or worker at which the violation occurred.
SecurityPolicyViolationEvent.originalPolicy
Read only-
A string containing the policy whose enforcement caused the violation.
SecurityPolicyViolationEvent.referrer
Read only-
A string representing the URL for the referrer of the resources whose policy was violated, or
null
. SecurityPolicyViolationEvent.sample
Read only-
A string representing a sample of the resource that caused the violation, usually the first 40 characters. This will only be populated if the resource is an inline script, event handler, or style — external resources causing a violation will not generate a sample.
SecurityPolicyViolationEvent.sourceFile
Read only-
If the violation occurred as a result of a script, this will be the URL of the script; otherwise, it will be
null
. BothcolumnNumber
andlineNumber
should have non-null values if this property is notnull
. SecurityPolicyViolationEvent.statusCode
Read only-
A number representing the HTTP status code of the document or worker in which the violation occurred.
SecurityPolicyViolationEvent.violatedDirective
Read only-
A string representing the directive that was violated. This is a historical alias of
effectiveDirective
.
Examples
document.addEventListener("securitypolicyviolation", (e) => {
console.log(e.blockedURI);
console.log(e.violatedDirective);
console.log(e.originalPolicy);
});
Specifications
Specification |
---|
Content Security Policy Level 3 # report-violation |
Browser compatibility
BCD tables only load in the browser
See also
- HTTP Content Security Policy (CSP)
CSPViolationReportBody
- The
securitypolicyviolation
event of theElement
interface - The
securitypolicyviolation
event of theDocument
interface - The
securitypolicyviolation
event of theWorkerGlobalScope
interface