References

Beginner-friendly references for web development, with live, editable examples.

The HTML onsecuritypolicyviolation event

Event All modern browsers Updated
Quick answer

The HTML onsecuritypolicyviolation attribute runs JavaScript when a Content-Security-Policy directive is violated. It is an inline handler for the securitypolicyviolation event; in modern code prefer addEventListener('securitypolicyviolation', …).

Overview

The onsecuritypolicyviolation event attribute runs JavaScript when a CSP violation occurs. In JavaScript the event itself is named securitypolicyviolation — drop the on prefix when you call addEventListener.

It is a window- or document-level event rather than one tied to a particular element, so it is handled on window or document. These events cover the page lifecycle, navigation, network status, messaging and similar global concerns.

You can wire this up with the inline onsecuritypolicyviolation HTML attribute, but the modern, recommended approach is element.addEventListener('securitypolicyviolation', handler) in JavaScript. That keeps behavior out of your markup, lets you attach several handlers to the same event, and makes them easy to remove. The inline attribute is fine for quick demos.

Syntax

<element onsecuritypolicyviolation="handler()">…</element>

element.addEventListener('securitypolicyviolation', handler);

Best practices

  • Prefer element.addEventListener('securitypolicyviolation', handler) over the inline onsecuritypolicyviolation attribute — it separates behavior from markup and allows multiple handlers.
  • Attach these on window (or document) with addEventListener rather than as <body> attributes.
  • Keep these handlers fast — they run at moments that affect the whole page.
  • Remove listeners you no longer need to avoid leaks in long-lived pages.

Frequently asked questions

What is the onsecuritypolicyviolation event?
It runs JavaScript when a CSP violation occurs. In JavaScript the event is named securitypolicyviolation.
Where do I attach this event?
On window or document — these are global events, not tied to a single element.
Can I use it as a body attribute?
You can, but window.addEventListener is preferred — it keeps behavior out of the markup and allows multiple handlers.
Should I use the onsecuritypolicyviolation attribute or addEventListener?
Prefer addEventListener('securitypolicyviolation', …) in JavaScript. The inline onsecuritypolicyviolation attribute works but mixes behavior into the markup and allows only one handler per element.
onsearch onseeked