1

I have a CSP in place with 'Content-Security-Policy-Report-Only' mode and report-uri. I have an inline JavaScript running which the CSP prohibits. My understanding was the JavaScript would still be allowed to run while in report-only mode, but will be reported to the report-uri link. It does gets documented in the report-uri link, but it also stops the page from loading with the following error on the Chrome console: "[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".". Why is the CSP being enforced in 'Report-only' mode? Thanks

Improve this question
0

1 Answer 1

Reset to default
1

This seems to happen when I set the CSP along with the Header 'Header set Set-Cookie: HttpOnly; SameSite=Strict' in Apache 2.2.3. I removed this header and the CSP works in true report only mode.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.