COEPViolationReportBody

The COEPViolationReportBody dictionary represents the body of a Report that has a type of coep.

Reports with this type are used by the Reporting API to notify of violations of COEP policies set with the HTTP headers Cross-Origin-Embedder-Policy and Cross-Origin-Embedder-Policy-Report-Only. A serialized version of the same report structure may also be sent to reporting server endpoints.

Note: This object does not derive from ReportBody (unlike some other Report.body values).

Instance properties

COEPViolationReportBody.type Read only: A string representing what kind of cross-origin embedding caused the violation.
COEPViolationReportBody.blockedURL Read only: A string containing the URL of the blocked resource.
COEPViolationReportBody.disposition Read only: A string indicating whether the violation was enforced or only reported.

A document's policies for loading and embedding cross-origin resources are configured and enforced using the Cross-Origin-Embedder-Policy HTTP header, and may also be reported but not enforced using the Cross-Origin-Embedder-Policy-Report-Only header.

COEP policy violations may be reported using the Reporting API whenever a policy set by those headers blocks (or would block) the loading of a resource.

A COEP policy violation report is represented by a Report instance that has the type of coep and a body property that is an object of this type. Reports can be returned via the ReportingObserver interface or serialized and sent in a POST to a reporting server endpoint.

To send to a reporting server endpoint the Cross-Origin-Embedder-Policy and/or Cross-Origin-Embedder-Policy-Report-Only headers used to set the policy must include the report-to parameter with a valid reporting endpoint name. Valid endpoint names are defined using the Reporting-Endpoints header.

There are two main causes of violations, which are indicated by the value of the type property. The first is a navigation violation, which is caused when an <iframe> or other child browsing context attempts to load a new document or other resource that is not compatible with the embedder policy of its parent for cross origin isolation. The second is a "worker initialization" violation, which is when a page attempts to load a dedicated worker with an embedder policy that is not compatible with the page policy for cross origin isolation.

In both cases "incompatible" means that the parent embedder policy requires cross origin isolation but the embedder policy of the child resource does not provide those guarantees of isolation. If the resource isn't loaded into a child context (such as a frame), or if the parent does not require isolation, then the embedder policy of the loaded resource doesn't matter.

Examples

COEP report

In this example we create a new ReportingObserver to observe coep reports, then log the first report to the console.

const options = {
  types: ["coep"],
  buffered: true,
};

const observer = new ReportingObserver((reports, observer) => {
  const firstReport = reports[0];
  console.log(firstReport.type); // coep
  console.log(firstReport);
}, options);

The logged report object for a COEP violation from loading an iframe might look like this:

json

[
  {
    "type": "coep",
    "url": "https://url-where-report-sent",
    "body": {
      "type": "navigation",
      "blockedURL": "https://url-of-frame-that-was-blocked",
      "disposition": "enforce"
    }
  }
]

Specifications

No specification found

No specification data found for api.COEPViolationReportBody.
Check for problems with this page or contribute a missing spec_url to mdn/browser-compat-data. Also make sure the specification is included in w3c/browser-specs.