Reporting-Endpoints Diversity Tester

All reports posted to https://report.centralcsp.com. Override with ?endpoint=https://your-host.

0 local reports seen

What this page emits

  1. CSP (enforcing + report-only): inline scripts/styles, eval, new Function, cross-origin script/img/font/object/iframe/audio, form-action, base-uri, worker, manifest, prefetch, fetch / XHR / WebSocket / EventSource / sendBeacon, navigate-to, Trusted-Types script-sink violations.
  2. Integrity-Policy: same-origin <script> / <link> without integrity attribute.
  3. Permissions-Policy: every feature in the catalogue is denied; the page then attempts to use each one.
  4. Document-Policy: document.write, sync XHR, unsized media, oversized images, JS profiling.
  5. COOP / COEP: cross-origin window.open + cross-origin embeds without CORP.
  6. NEL: deliberately bad fetch to a non-existent same-origin path.

style= attribute (CSP report)

Local report stream

(waiting...)