Content Security Policies (CSP) operate in two ways. The first is Report-Only: CSP violations are reported but not enforced. The CSP in the page’s headers with the name “Content-Security-Policy-Report-Only” logs messages into the developer console and communicates violations to a reporting endpoint (if configured so). These messages in the console typically start with “[Report Only] Refused to load the …” and end with “because it violates the following Content Security Policy directive:...”. The Report-Only version of the CSP is a way to “test” a policy before enforcing it.
It helps developers confirm there are no unintended side-effects to the policy that would prevent expected functionality from being loaded and executed. If you see these errors in the console, then the proposed policy blocks the named resource from loading. Any Report-Only violations should be investigated by the website owner and used as feedback to adjust the policy if the resource is expected to load.
The second way a CSP can operate is to actively enforce the policy sent in the Content-Security-Policy header by blocking resources from loading. Any violations of the policy set in that header result in the resource blocked from loading, an error message on the console, and a violation report sent back to a reporting endpoint (if configured in the policy). The error messages start with “Refused to load the …” and end with “... because it violates the following Content Security Policy directive: …” These messages specifically detail the resource and which part of the policy it violated. If you see this message in the console, the page treats these requests as unexpected and suspect and is actively blocking the resource. If these requests are expected, the site owner should be notified that page resources are being erroneously blocked.
Image: Example of CSP violations that are reported to the console: “refused to load the image because it violates the following CSP.