SecurityPolicyViolationEvent
Baseline Widely available
This feature is well established and works across many devices and browser versions. It’s been available across browsers since August 2016.
Note: This feature is available in Web Workers.
The SecurityPolicyViolationEvent interface inherits from Event, and represents the event object of a securitypolicyviolation event sent on an Element, Document, or worker when its Content Security Policy (CSP) is violated.
Constructor
SecurityPolicyViolationEvent()-
Creates a new
SecurityPolicyViolationEventobject instance.
Instance properties
SecurityPolicyViolationEvent.blockedURIRead only-
A string representing the URI of the resource that was blocked because it violates a policy.
SecurityPolicyViolationEvent.columnNumberRead only-
The column number in the document or worker at which the violation occurred.
SecurityPolicyViolationEvent.dispositionRead only-
A string indicating whether the user agent is configured to enforce or just report the policy violation.
SecurityPolicyViolationEvent.documentURIRead only-
A string representing the URI of the document or worker in which the violation occurred.
SecurityPolicyViolationEvent.effectiveDirectiveRead only-
A string representing the directive that was violated.
SecurityPolicyViolationEvent.lineNumberRead only-
The line number in the document or worker at which the violation occurred.
SecurityPolicyViolationEvent.originalPolicyRead only-
A string containing the policy whose enforcement caused the violation.
SecurityPolicyViolationEvent.referrerRead only-
A string representing the URL for the referrer of the resources whose policy was violated, or
null. SecurityPolicyViolationEvent.sampleRead only-
A string representing a sample of the resource that caused the violation, usually the first 40 characters. This will only be populated if the resource is an inline script, event handler, or style — external resources causing a violation will not generate a sample.
SecurityPolicyViolationEvent.sourceFileRead only-
If the violation occurred as a result of a script, this will be the URL of the script; otherwise, it will be
null. BothcolumnNumberandlineNumbershould have non-null values if this property is notnull. SecurityPolicyViolationEvent.statusCodeRead only-
A number representing the HTTP status code of the document or worker in which the violation occurred.
SecurityPolicyViolationEvent.violatedDirectiveRead only-
A string representing the directive that was violated. This is a historical alias of
effectiveDirective.
Examples
document.addEventListener("securitypolicyviolation", (e) => {
console.log(e.blockedURI);
console.log(e.violatedDirective);
console.log(e.originalPolicy);
});
Specifications
| Specification |
|---|
| Content Security Policy Level 3 # report-violation |
Browser compatibility
BCD tables only load in the browser
See also
- HTTP Content Security Policy (CSP)
CSPViolationReportBody- The
securitypolicyviolationevent of theElementinterface - The
securitypolicyviolationevent of theDocumentinterface - The
securitypolicyviolationevent of theWorkerGlobalScopeinterface