1. Web
  2. Web APIs
  3. SecurityPolicyViolationEvent
  4. sample

SecurityPolicyViolationEvent: sample property

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨September 2021⁩.

Note: This feature is available in Web Workers.

The sample read-only property of the SecurityPolicyViolationEvent interface is a string representing a sample of the resource that caused the Content Security Policy (CSP) violation.

This is only script-src* and style-src* violations, when the corresponding Content-Security-Policy directive contains the 'report-sample' keyword. In addition, this will only be populated if the resource is an inline script, event handler, or style — external resources causing a violation will not generate a sample.

Note: Violation reports should be considered attacker-controlled data. The content of this field should be sanitized before storing or rendering.

Value

A string containing a sample of the resource that caused the violation, usually the first 40 characters, or the empty string.

Examples

js
document.addEventListener("securitypolicyviolation", (e) => {
  console.log(e.sample);
});

Specifications

Specification
Content Security Policy Level 3
# dom-securitypolicyviolationevent-sample

Browser compatibility

See also

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.

View this page on GitHubReport a problem with this content