The Report-To HTTP response header field instructs the user agent to store reporting endpoints for an origin.
Content-Security-Policy: ...; report-to groupname
The directive has no effect in and of itself, but only gains meaning in combination with other directives.
| CSP version | 1 |
|---|---|
| Directive type | Reporting directive |
This directive is not supported in the <meta> element. | |
Content-Security-Policy: report-to <json-field-value>;
See Content-Security-Policy-Report-Only for more information and examples.
Report-To: { "group": "csp-endpoint", "max-age": 10886400, "endpoints": [ { "url": "https://example.com/csp-reports" } ] }, { "group": "hpkp-endpoint", "max-age": 10886400, "endpoints": [ { "url": "https://example.com/hpkp-reports" } ] } Content-Security-Policy: ...; report-to csp-endpoint
Report-To: { "group": "endpoint-1", "max-age": 10886400, "endpoints": [ { "url": "https://example.com/reports" }, { "url": "https://backup.com/reports" } ] } Content-Security-Policy: ...; report-to endpoint-1
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
| Desktop | ||||||
|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | |
| Basic support | No | No | No | No | No | No |
| Mobile | |||||||
|---|---|---|---|---|---|---|---|
| Android webview | Chrome for Android | Edge Mobile | Firefox for Android | Opera for Android | iOS Safari | Samsung Internet | |
| Basic support | No | No | No | No | No | No | No |
© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to