You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The `PermissionsPolicyViolationReport` dictionary of the [Reporting API](/en-US/docs/Web/API/Reporting_API) represents a report that is generated when a document violates its [Permissions Policy](/en-US/docs/Web/HTTP/Guides/Permissions_Policy).
13
13
14
-
Reports of this type can be observed from within a page using a {{domxref("ReportingObserver")}}, and a serialized version can be sent to the [default reporting server endpoint](/en-US/docs/Web/HTTP/Reference/Headers/Reporting-Endpoints#default_reporting_endpoint).
14
+
Reports of this type can be observed from within a page using a {{domxref("ReportingObserver")}}, and a serialized version can be sent to a reporting endpoint server.
15
15
16
16
## Instance properties
17
17
@@ -47,15 +47,16 @@ Reports of this type can be observed from within a page using a {{domxref("Repor
47
47
48
48
Permissions Policy violations are reported when a document attempts to use a browser feature that is blocked by its [Permissions Policy](/en-US/docs/Web/HTTP/Guides/Permissions_Policy).
49
49
The policy is set using the {{httpheader("Permissions-Policy")}} HTTP header, or a `<meta http-equiv="permissions-policy">` element.
50
+
Violations of the policy may also be reported but not enforced using the {{httpheader("Permissions-Policy-Report-Only")}} HTTP header, or a `<meta http-equiv="permissions-policy-report-only">` element.
50
51
51
52
You can monitor for Permissions-Policy violation reports within the page that sets the policy using the [Reporting API](/en-US/docs/Web/API/Reporting_API).
52
53
To do this you create a {{domxref("ReportingObserver")}} object to listen for reports, passing a callback method and an (optional) `options` property specifying the types of reports that you want to report on.
53
54
The callback method is then called with reports of the requested types, passing a report object.
54
-
For `Permissions-Policy` violations, the object will be a `PermissionsPolicyViolationReport` instance with `PermissionsPolicyViolationReport.type == "permissions-policy-violation"`.
55
+
For `Permissions-Policy`or `Permissions-Policy-Report-Only`violations, the object will be a `PermissionsPolicyViolationReport` instance with `PermissionsPolicyViolationReport.type == "permissions-policy-violation"`.
55
56
56
57
The structure of a typical in-page report is shown below.
57
58
Note that we can see the URL of the page that had its policy violated (`url`), and from `body.featureId` we can see which feature was blocked.
58
-
The `body.disposition` field shows that the violation was enforced.
59
+
The `body.disposition` field shows that the violation was enforced or only reported.
59
60
60
61
```json
61
62
{
@@ -66,14 +67,14 @@ The `body.disposition` field shows that the violation was enforced.
66
67
"lineNumber": 44,
67
68
"columnNumber": 29,
68
69
"featureId": "geolocation",
69
-
"disposition": "enforce",
70
+
"disposition": "enforce",// Policy was enforced!
70
71
"message": "Permissions policy violation: geolocation access has been blocked because of a permissions policy applied to the current document."
71
72
}
72
73
}
73
74
```
74
75
75
-
Violation reports may also be sent as a JSON object in a {{httpmethod("POST")}} request to the [reporting server endpoint](/en-US/docs/Web/API/Reporting_API#reporting_server_endpoints)named `"default"`, if one is defined.
76
-
The reporting server endpoint and its mapping to a particular URL are set using the {{httpheader("Reporting-Endpoints")}} header.
76
+
Violation reports may also be sent as a JSON object in a {{httpmethod("POST")}} request to the [reporting server endpoint](/en-US/docs/Web/API/Reporting_API#reporting_server_endpoints)indicated by name in a per-directive `report-to` parameter, or otherwise to the [`default` reporting server endpoint](/en-US/docs/Web/HTTP/Reference/Headers/Reporting-Endpoints#default_reporting_endpoint).
77
+
The reporting server endpoint and its mapping to a particular URL are set using the {{httpheader("Reporting-Endpoints")}} response header.
77
78
78
79
The structure of the server report is almost exactly the same as `PermissionsPolicyViolationReport`, except that it additionally includes `age` and `user_agent` fields.
79
80
@@ -163,13 +164,24 @@ Note that the `type` is `"permissions-policy-violation"` and `body.featureId` id
163
164
164
165
### Sending a Permissions Policy violation report to a reporting endpoint
165
166
166
-
Here we define the define reporting endpoint named `"default"` using the {{httpheader("Reporting-Endpoints")}} response header, and set the `Permissions-Policy` header to block use of the `geolocation` feature.
167
+
This example shows how to configure reporting of `Permissions-Policy` violations to a server endpoint.
168
+
169
+
The response headers below block geolocation and define the reporting endpoint name for the feature as "geo_endpoint".
170
+
The {{HTTPHeader("Reporting-Endpoints")}} HTTP response header is used to define URL of this endpoint name.
> To send all violation reports to the same endpoint we might instead define the [`"default"` reporting endpoint](/en-US/docs/Web/HTTP/Reference/Headers/Reporting-Endpoints#default_reporting_endpoint):
0 commit comments