How can I find the source of a Content Security Policy violation report?

Question

I get a Content Security Policy violation report in my browser when I visit my webpage:

[Report Only] Refused to load the image '' because it violates the following Content Security Policy directive: "img-src 'self' ".

When I investigate the HTTP response headers, neither the Content-Security-Policy-Report-Only header or the Content-Security-Policy header seems to be set by the origin server.

How can I find the source of this violation report? I'm not sure why it is generated considering the relevant header(s) do not seem to be set.

Answer 1

It's 2 opts possible:

1. You have a third-party iframe embedded into page. Violations you observed belongs to that iframe, it publishes its own CSP header. Since a browser has only one console for main page and all iframes, you can see third-party iframes errors too.
Try to use other browser, some ot these could be more verbosely and show blocked URI. Anyway you can nothing to do with third-party CSP.

2. If you visit nonexistent webpage, server's middleware can publish default CSP for pages with 4xx/5xx status code. Low probability because Report-Only mode in not used in such cases.

Publishing Content-Security-Policy-Report-Only not in HTTP header but in the meta tag is not possible, because metatag is not support Report-Only mode. Therefore I bet on opt 1.