SecurityPolicyViolationEvent

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.

Note: This feature is available in Web Workers.

The SecurityPolicyViolationEvent interface inherits from Event, and represents the event object of a securitypolicyviolation event sent on an Element, Document, or worker when its Content Security Policy (CSP) is violated.

Event SecurityPolicyViolationEvent

Constructor

SecurityPolicyViolationEvent()

Creates a new SecurityPolicyViolationEvent object instance.

Instance properties

SecurityPolicyViolationEvent.blockedURI Read only

A string representing the URI of the resource that was blocked because it violates a policy.

SecurityPolicyViolationEvent.columnNumber Read only

The column number in the document or worker at which the violation occurred.

SecurityPolicyViolationEvent.disposition Read only

A string indicating whether the user agent is configured to enforce or just report the policy violation.

SecurityPolicyViolationEvent.documentURI Read only

A string representing the URI of the document or worker in which the violation occurred.

SecurityPolicyViolationEvent.effectiveDirective Read only

A string representing the directive that was violated.

SecurityPolicyViolationEvent.lineNumber Read only

The line number in the document or worker at which the violation occurred.

SecurityPolicyViolationEvent.originalPolicy Read only

A string containing the policy whose enforcement caused the violation.

SecurityPolicyViolationEvent.referrer Read only

A string representing the URL for the referrer of the resources whose policy was violated, or null.

SecurityPolicyViolationEvent.sample Read only

A string representing a sample of the resource that caused the violation, usually the first 40 characters. This will only be populated if the resource is an inline script, event handler, or style — external resources causing a violation will not generate a sample.

SecurityPolicyViolationEvent.sourceFile Read only

If the violation occurred as a result of a script, this will be the URL of the script; otherwise, it will be null. Both columnNumber and lineNumber should have non-null values if this property is not null.

SecurityPolicyViolationEvent.statusCode Read only

A number representing the HTTP status code of the document or worker in which the violation occurred.

SecurityPolicyViolationEvent.violatedDirective Read only

A string representing the directive that was violated. This is a historical alias of effectiveDirective.

Examples

js
document.addEventListener("securitypolicyviolation", (e) => {
  console.log(e.blockedURI);
  console.log(e.violatedDirective);
  console.log(e.originalPolicy);
});

Specifications

Specification
Content Security Policy Level 3
# report-violation

Browser compatibility

BCD tables only load in the browser

See also