diff --git a/files/en-us/web/api/cspviolationreportbody/blockedurl/index.md b/files/en-us/web/api/cspviolationreportbody/blockedurl/index.md
new file mode 100644
index 000000000000000..f6a2128e08750cd
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/blockedurl/index.md
@@ -0,0 +1,219 @@
+---
+title: "CSPViolationReportBody: blockedURL property"
+short-title: blockedURL
+slug: Web/API/CSPViolationReportBody/blockedURL
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.blockedURL
+---
+
+{{APIRef("Reporting API")}}
+
+The **`blockedURL`** read-only property of the {{domxref("CSPViolationReportBody")}} interface is a string value that represents the resource that was blocked because it violates a [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP).
+
+## Value
+
+An string containing a value or URL that represents the resource that violated the policy.
+
+If the value is not the URL of a resource, it must be one of the following strings:
+
+- `inline`
+  - : An inline resource.
+    For example, an inline script that was used when [`'unsafe-inline'`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) was not specified in the CSP.
+- `eval`
+  - : An `eval()`.
+    For example, `eval()` was used but [`'unsafe-eval'`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-eval) was not specified in the CSP.
+- `wasm-eval`
+  - : An WASM evaluation.
+    For example, `eval()` was used but [`'wasm-unsafe-eval'`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#wasm-unsafe-eval) was not specified in the CSP.
+- `trusted-types-policy`
+  - : A resource that violated the [`trusted-types`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types) CSP directive.
+    For example, a {{domxref("TrustedTypePolicy")}} was created using {{domxref("TrustedTypePolicyFactory/createPolicy", "window.trustedTypes.createPolicy()")}} with a name that wasn't listed in the CSP `trusted-types` directive.
+- `trusted-types-sink`
+  - : A resource that violated the [`require-trusted-types-for`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types) CSP directive.
+    For example, the directive was set to `script` but the document did not use a {{domxref("TrustedTypePolicy")}} to sanitize data before passing it to a sink such as {{domxref("Element.innerHTML")}}.
+
+## Examples
+
+The following examples show HTML that would result in some of the `blockedURL` values outlined above.
+
+The examples assume that you have a JavaScript file named `main.js` imported into your script from the same domain.
+The script, which is shown below, creates a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we log the `blockedURL` in the first entry of the reports array.
+
+```js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    console.log(`blockedURL: ${reports[0].body.blockedURL}`);
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the blocked URL of the first report.
+
+### blockedURL for an external resource
+
+The HTML below sets a policy of `Content-Security-Policy: default-src 'self'`, which only allows resources from the same site to be loaded, and then attempts to load a script from the external site `https://apis.google.com`.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'" />
+    <script src="main.js"></script>
+  </head>
+  <body>
+    <!-- This should generate a CSP violation -->
+    <script src="https://apis.google.com/js/platform.js"></script>
+  </body>
+</html>
+```
+
+The result of logging the `blockedURL` would be:
+
+```plain
+blockedURL: https://apis.google.com/js/platform.js
+```
+
+### blockedURL for unsafe-inline resources
+
+The HTML below demonstrates the conditions that would result in a `blockedURL` of `inline`.
+This sets a policy of `Content-Security-Policy: default-src 'self'`, which does not allow inline scripts to be executed, causing a violation because the page contains an inline script.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'" />
+    <script src="main.js"></script>
+  </head>
+  <body>
+    <script>
+      const int = 4;
+    </script>
+  </body>
+</html>
+```
+
+The result of logging the `blockedURL` would be:
+
+```plain
+blockedURL: inline
+```
+
+### blockedURL for trusted-types-policy resources
+
+The HTML below demonstrates the conditions that would result in a `blockedURL` of `trusted-types-policy`.
+First it defines a policy that allows `'unsafe-inline'` scripts to be executed, so that we can create a {{domxref("TrustedTypePolicy")}} that will trigger a violation.
+The policy also uses the `trusted-types` directive to specify that a {{domxref("TrustedTypePolicy")}} with the name `myPolicy` is allowed to be created.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self' 'report-sample' 'unsafe-inline'; trusted-types myPolicy" />
+    <script src="main.js"></script>
+  </head>
+
+  <body></body>
+
+  <script>
+    const policy = trustedTypes.createPolicy("somePolicy", {
+      createHTML: (string) => {
+        // Some (insufficient) sanitization code
+        return string.replace(/</g, "&lt;");
+      },
+    });
+  </script>
+</html>
+```
+
+In the script a policy is created with the name `somePolicy`.
+
+> [!NOTE]
+> The particular policy we defined above is not a very good policy.
+> The aim of using trusted types is not to enforce a _particular_ policy, but to require enforcement of some policy, and ensure that the sanitization code is in one place and easy to review.
+
+Because this is not listed in the `trusted-types` directive it is a CSP violation, and we'd see the log output:
+
+```plain
+blockedURL: trusted-types-policy
+```
+
+If we changed the name of the allowed policy to `somePolicy`, the page would no longer be in violation.
+
+### blockedURL for trusted-types-sink resources
+
+The HTML below demonstrates the conditions that would result in a `blockedURL` of `trusted-types-sink`.
+First it defines a policy that allows `'unsafe-inline'` scripts to be executed, and as in the previous example it use the `trusted-types` directive to specify that a {{domxref("TrustedTypePolicy")}} with the name `myPolicy` is allowed to be created.
+
+In addition, it specifies the directive `require-trusted-types-for 'script'`, which enforces that sinks should only be passed content that has been sanitized using a trusted type.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self' 'report-sample' 'unsafe-inline'; trusted-types 'myPolicy'; require-trusted-types-for 'script'" />
+    <script src="main.js"></script>
+  </head>
+  <body>
+    <input type="text" id="userInput" />
+    <button onclick="updateContent()">Update Content</button>
+    <div id="content"></div>
+  </body>
+
+  <script>
+    function updateContent() {
+      const userInput = document.getElementById("userInput").value;
+
+      // Passing unsanitized content - a violation of the policy
+      document.getElementById("content").innerHTML = userInput;
+    }
+  </script>
+</html>
+```
+
+The `updateContent()` method passes unsanitized content to the element's `innerHTML` property, which will cause a CSP violation.
+We'd see the log output:
+
+```plain
+blockedURL: trusted-types-sink
+```
+
+In order to avoid the violation we would need to update the script to define a trusted type policy, and use it to sanitize the input passed to the element:
+
+```js
+const policy = trustedTypes.createPolicy("myPolicy", {
+  createHTML: (string) => {
+    // Some (insufficient) sanitization code
+    return string.replace(/</g, "&lt;");
+  },
+});
+
+function updateContent() {
+  const userInput = document.getElementById("userInput").value;
+  const sanitizedInput = policy.createHTML(userInput);
+  document.getElementById("content").innerHTML = sanitizedInput;
+}
+```
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.blockedURI")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/columnnumber/index.md b/files/en-us/web/api/cspviolationreportbody/columnnumber/index.md
new file mode 100644
index 000000000000000..7eb5d644648df1b
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/columnnumber/index.md
@@ -0,0 +1,120 @@
+---
+title: "CSPViolationReportBody: columnNumber property"
+short-title: columnNumber
+slug: Web/API/CSPViolationReportBody/columnNumber
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.columnNumber
+---
+
+{{APIRef("Reporting API")}}
+
+The **`columnNumber`** read-only property of the {{domxref("CSPViolationReportBody")}} interface indicates the column number in the source file that triggered the [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP) violation.
+
+Note that the browser extracts the value from _the global object_ of the file that triggered the violation.
+If the resource that triggers the CSP violation is not loaded, the value will be `null`.
+See {{domxref("CSPViolationReportBody.sourceFile")}} for more information.
+
+This property is most useful alongside {{domxref("CSPViolationReportBody.sourceFile")}} and {{domxref("CSPViolationReportBody.lineNumber")}}, as it provides the location of the column in that file and line that resulted in a violation.
+
+## Value
+
+An integer containing the column number that triggered the violation, or `null`.
+
+## Examples
+
+### CSP inline script violation
+
+This example triggers a CSP violation using an inline script, and reports the violation using a {{domxref("ReportingObserver")}}.
+
+#### HTML
+
+The HTML file below uses the [`<meta>`](/en-US/docs/Web/HTML/Element/meta) element to set the {{httpheader('Content-Security-Policy')}} `default-src` to `self`, which allows scripts and other resources to be loaded from the same origin, but does not allow inline scripts to be executed.
+The document also includes an inline script, which should therefore trigger a CSP violation.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; report-to csp-endpoint" />
+    <meta
+      http-equiv="Reporting-Endpoints"
+      content="csp-endpoint='https://example.com/csp-reports'" />
+    <script src="main.js"></script>
+    <title>CSP: Violation due to inline script</title>
+  </head>
+  <body>
+    <h1>CSP: Violation due to inline script</h1>
+    <script>
+      const int = 4;
+    </script>
+  </body>
+</html>
+```
+
+#### JavaScript (main.js)
+
+The document above also loads the external script `main.js`, which is shown below.
+Because this is loaded from the same domain as the HTML, it is not blocked by the CSP.
+
+The script creates a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we get the body of the first entry of the reports array, and use it to log the file, line, and column of the violation to the console.
+
+```js
+// main.js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    const cspViolationBody = reports[0].body;
+    console.log(`sourceFile: ${cspViolationBody.sourceFile}`);
+    console.log(`lineNumber: ${cspViolationBody.lineNumber}`);
+    console.log(`columnNumber: ${cspViolationBody.columnNumber}`);
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the values of the first element.
+
+#### Results
+
+You can try this out using a [local server](/en-US/docs/Learn/Common_questions/Tools_and_setup/set_up_a_local_testing_server).
+Copy the above code into `test/index.html` and `test/main.js` and run the server in the root directory.
+Assuming the address of the local server is `http://127.0.0.1:9999`, you can then load the HTML file from `http://127.0.0.1:9999/test/` (or `http://127.0.0.1:9999/test/index.html`).
+
+With the above setup, the output of the log on Chrome is:
+
+```plain
+sourceFile: http://127.0.0.1:9999/test/
+lineNumber: 15
+columnNumber: 0
+```
+
+The result is similar for Firefox:
+
+```plain
+sourceFile: http://127.0.0.1:9999/test/
+lineNumber: 15
+columnNumber: 13
+```
+
+Note that the column number is different for the two browsers.
+Chrome always appears to report `0`.
+The value on Firefox represents the position of the first character after the end of the opening `<script>` element.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.columnNumber")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/disposition/index.md b/files/en-us/web/api/cspviolationreportbody/disposition/index.md
new file mode 100644
index 000000000000000..a63af141c75a9f7
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/disposition/index.md
@@ -0,0 +1,105 @@
+---
+title: "CSPViolationReportBody: disposition property"
+short-title: disposition
+slug: Web/API/CSPViolationReportBody/disposition
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.disposition
+---
+
+{{APIRef("Reporting API")}}
+
+The **`disposition`** read-only property of the {{domxref("CSPViolationReportBody")}} interface indicates whether the user agent is configured to enforce [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP) violations or only report them.
+
+## Value
+
+Possible values are:
+
+- `"enforce"`
+  - : The policy is enforced and the resource request is blocked.
+- `"report"`
+  - : The violation is reported but the resource request is not blocked.
+
+## Examples
+
+### CSP inline script violation showing the disposition
+
+This example triggers a CSP violation using an inline script, and reports the violation using a {{domxref("ReportingObserver")}}.
+The `disposition` is logged.
+
+#### HTML
+
+The HTML file below uses the [`<meta>`](/en-US/docs/Web/HTML/Element/meta) element to set the {{httpheader('Content-Security-Policy')}} `default-src` to `self`, which allows scripts and other resources to be loaded from the same domain, but does not allow inline scripts to be executed.
+The document also includes an inline script, which should therefore trigger a CSP violation.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; report-to csp-endpoint" />
+    <meta
+      http-equiv="Reporting-Endpoints"
+      content="csp-endpoint='https://example.com/csp-reports'" />
+    <script src="main.js"></script>
+    <title>CSP: Violation due to inline script</title>
+  </head>
+  <body>
+    <h1>CSP: Violation due to inline script</h1>
+    <script>
+      const int = 4;
+    </script>
+  </body>
+</html>
+```
+
+#### JavaScript (main.js)
+
+The document above also loads the external script `main.js`, which is shown below.
+Because this is loaded from the same domain as the HTML, it is not blocked by the CSP.
+
+The script creates a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we get the body of the first entry of the reports array, and use it to log the file, line, and column of the violation to the console.
+
+```js
+// main.js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    const cspViolationBody = reports[0].body;
+    console.log(`disposition: ${cspViolationBody.disposition}`);
+    // For example: "enforce"
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the values of the first element.
+
+#### Results
+
+If serving the above code, the log output would be:
+
+```plain
+disposition: enforce
+```
+
+> [!NOTE]
+> If `Content-Security-Policy-Reporting-Only` was enabled the disposition would be `report`.
+> Note however, that `Content-Security-Policy-Reporting-Only` must be served: it can't be set in the `<meta>` element as we have done above.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.disposition")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/documenturl/index.md b/files/en-us/web/api/cspviolationreportbody/documenturl/index.md
new file mode 100644
index 000000000000000..298e2c87221bbf1
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/documenturl/index.md
@@ -0,0 +1,115 @@
+---
+title: "CSPViolationReportBody: documentURL property"
+short-title: documentURL
+slug: Web/API/CSPViolationReportBody/documentURL
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.documentURL
+---
+
+{{APIRef("Reporting API")}}
+
+The **`documentURL`** read-only property of the {{domxref("CSPViolationReportBody")}} interface is a string that represents the URL of the document or worker that violated the [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP).
+
+## Value
+
+A string containing the URL of the document or worker that violated the CSP.
+
+## Examples
+
+### CSP inline script violation showing referrer
+
+This example triggers a CSP violation using an inline script, and reports the violation using a {{domxref("ReportingObserver")}}.
+We navigate to the page from another page and log the `referrer`, `documentURL`, and `blockedURL`.
+
+#### HTML
+
+First we define our referrer page `/bounce/index.html`.
+This page just contains a link to another page `../report_sample/index.html`.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  </head>
+  <body>
+    <ul>
+      <li><a href="../report_sample/">report sample</a></li>
+    </ul>
+  </body>
+</html>
+```
+
+The `../report_sample/index.html` HTML file is defined below.
+This uses the [`<meta>`](/en-US/docs/Web/HTML/Element/meta) element to set the {{httpheader('Content-Security-Policy')}} `script-src-elem` to `self`, which allows scripts to be loaded from the same domain, but does not allow inline scripts to be executed.
+The document also includes an inline script, which will trigger a CSP violation.
+
+```html
+<!doctype html>
+<!-- /report_sample/index.html -->
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="script-src-elem 'self' 'report-sample'" />
+    <script src="main.js"></script>
+  </head>
+  <body>
+    <script>
+      const int = 4;
+    </script>
+  </body>
+</html>
+```
+
+#### JavaScript (main.js)
+
+The report sample above also loads the external script `main.js`, which is shown below.
+Because this is loaded from the same domain as the HTML, it is not blocked by the CSP.
+
+The script creates a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we get the body of the first entry of the reports array, and use it to log the violation `documentURL`, `referrer`, and `blockedURL` to the console.
+
+```js
+// main.js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    console.log(`documentURL: ${reports[0].body.referrer}`);
+    console.log(`referrer: ${reports[0].body.referrer}`);
+    console.log(`blockedURL: ${reports[0].body.blockedURL}`);
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the values of the first element.
+
+#### Results
+
+The console output for the above code would look a bit like that below (the site will depend on how the pages are served):
+
+```plain
+documentURL: http://127.0.0.1:9999/report_sample/
+referrer: http://127.0.0.1:9999/bounce/
+blockedURL: inline
+```
+
+Note that `referrer` is the page we navigated from, `documentURL` is the page with the CSP violation, and `blockedURL` is not an URL at all in this case, but an indication that the violation was caused by an inline script.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.documentURI")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/effectivedirective/index.md b/files/en-us/web/api/cspviolationreportbody/effectivedirective/index.md
new file mode 100644
index 000000000000000..a0169c932d0351e
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/effectivedirective/index.md
@@ -0,0 +1,105 @@
+---
+title: "CSPViolationReportBody: effectiveDirective property"
+short-title: effectiveDirective
+slug: Web/API/CSPViolationReportBody/effectiveDirective
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.effectiveDirective
+---
+
+{{APIRef("Reporting API")}}
+
+The **`effectiveDirective`** read-only property of the {{domxref("CSPViolationReportBody")}} interface is a string that represents the effective [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP) directive that was violated.
+
+Note that this contains the specific directive that was effectively violated, such as [`script-src-elem`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem) for violations related to script elements, and not the policy that was specified, which may have been the (more general) [`default-src`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src).
+
+## Value
+
+A string representing the effective [`Content-Security-Policy` directive](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#directives) that was violated.
+
+## Examples
+
+### CSP inline script violation
+
+This example triggers a CSP violation using an inline script, and reports the violation using a {{domxref("ReportingObserver")}}.
+In particular, it logs the `effectiveDirective` and the `originalPolicy`, making the difference clear.
+
+#### HTML
+
+The HTML file below uses the [`<meta>`](/en-US/docs/Web/HTML/Element/meta) element to set the {{httpheader('Content-Security-Policy')}} `default-src` to `self`, which allows scripts and other resources to be loaded from the same domain, but does not allow inline scripts to be executed.
+The document also includes an inline script, which should trigger a CSP violation.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; report-to csp-endpoint" />
+    <meta
+      http-equiv="Reporting-Endpoints"
+      content="csp-endpoint='https://example.com/csp-reports'" />
+    <script src="main.js"></script>
+    <title>CSP: Violation due to inline script</title>
+  </head>
+  <body>
+    <h1>CSP: Violation due to inline script</h1>
+    <script>
+      const int = 4;
+    </script>
+  </body>
+</html>
+```
+
+#### JavaScript (main.js)
+
+The document above also loads the external script `main.js`, which is shown below.
+Because this is loaded from the same domain as the HTML, it is not blocked by the CSP.
+
+The script creates a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we get the body of the first entry of the reports array, and use it to log the effectiveDirective and `originalPolicy` of the violation to the console.
+
+```js
+// main.js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    console.log(`effectiveDirective: ${reports[0].body.effectiveDirective}`);
+    // effectiveDirective: script-src-elem
+    console.log(`originalPolicy: ${reports[0].body.originalPolicy}`);
+    // originalPolicy: default-src 'self'; report-to csp-endpoint
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the values of the first element.
+
+#### Results
+
+The console output for the above code is:
+
+```plain
+effectiveDirective: script-src-elem
+originalPolicy: default-src 'self'; report-to csp-endpoint
+```
+
+Note that the `orginalPolicy` matches the `<meta>` content of the `Content-Security-Policy` directive in the HTML, and specifies that the policy is `self` by default (`default-src 'self'`).
+
+The `effectiveDirective` is `script-src-elem`, which specifies valid sources for JavaScript {{htmlelement("script")}} elements.
+This is the specific directive that has effectively been violated, even though `default-src` was set in the policy.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.effectiveDirective")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/index.md b/files/en-us/web/api/cspviolationreportbody/index.md
index e4a5311f9593fb4..b3919a74b631e36 100644
--- a/files/en-us/web/api/cspviolationreportbody/index.md
+++ b/files/en-us/web/api/cspviolationreportbody/index.md
@@ -28,7 +28,7 @@ These reports similarly have a `type` of `"csp-violation"`, and a `body` propert
 _Also inherits properties from its parent interface, {{DOMxRef("ReportBody")}}._
 
 - {{domxref("CSPViolationReportBody.blockedURL")}} {{ReadOnlyInline}}
-  - : A string representing the URL of the resource that was blocked because it violates the CSP.
+  - : A string representing either the type or the URL of the resource that was blocked because it violates the CSP.
 - {{domxref("CSPViolationReportBody.columnNumber")}} {{ReadOnlyInline}}
   - : The column number in the script at which the violation occurred.
 - {{domxref("CSPViolationReportBody.disposition")}} {{ReadOnlyInline}}
@@ -64,12 +64,18 @@ _Also inherits methods from its parent interface, {{DOMxRef("ReportBody")}}._
 To obtain a `CSPViolationReportBody` object, you must configure your page so that a CSP violation will occur.
 In this example, we will set our CSP to only allow content from the site's own origin, and then attempt to load a script from `apis.google.com`, which is an external origin.
 
-First, we will set our {{HTTPHeader("Content-Security-Policy")}} header:
+First, we will set our {{HTTPHeader("Content-Security-Policy")}} header in the HTTP response:
 
 ```http
 Content-Security-Policy: default-src 'self';
 ```
 
+or in the HTML [`<meta>`](/en-US/docs/Web/HTML/Element/meta) element:
+
+```html
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'" />
+```
+
 Then, we will attempt to load an external script:
 
 ```html
@@ -82,7 +88,10 @@ Finally, we will create a new {{domxref("ReportingObserver")}} object to listen
 ```js
 const observer = new ReportingObserver(
   (reports, observer) => {
-    const cspViolation = reports[0];
+    reports.forEach((violation) => {
+      console.log(violation);
+      console.log(JSON.stringify(violation));
+    });
   },
   {
     types: ["csp-violation"],
@@ -93,7 +102,7 @@ const observer = new ReportingObserver(
 observer.observe();
 ```
 
-If we were to log the violation report object, it would look similar to the object below.
+Above we log the each violation report object and a JSON-string version of the object, which might look similar to the object below.
 Note that the `body` is an instance of the `CSPViolationReportBody` and the `type` is `"csp-violation"`.
 
 ```js
@@ -130,7 +139,7 @@ Reporting-Endpoints: csp-endpoint="https://example.com/csp-report-to"
 Content-Security-Policy: default-src 'self'; report-to csp-endpoint
 ```
 
-As before, we can trigger the violation by loading an external script from a location that is not allowed by our CSP header:
+As before, we can trigger a violation by loading an external script from a location that is not allowed by our CSP header:
 
 ```html
 <!-- This should generate a CSP violation -->
@@ -153,7 +162,7 @@ As you can see from the example below, the `type` is `"csp-violation"` and the `
       "lineNumber": 1441,
       "originalPolicy": "default-src 'self'; report-to csp-endpoint",
       "referrer": "https://www.google.com/",
-      "sample": "console.log(\"lo\")",
+      "sample": "",
       "sourceFile": "https://example.com/csp-report-to",
       "statusCode": 200
     },
diff --git a/files/en-us/web/api/cspviolationreportbody/linenumber/index.md b/files/en-us/web/api/cspviolationreportbody/linenumber/index.md
new file mode 100644
index 000000000000000..debe2ebbf9f2da0
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/linenumber/index.md
@@ -0,0 +1,120 @@
+---
+title: "CSPViolationReportBody: lineNumber property"
+short-title: lineNumber
+slug: Web/API/CSPViolationReportBody/lineNumber
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.lineNumber
+---
+
+{{APIRef("Reporting API")}}
+
+The **`lineNumber`** read-only property of the {{domxref("CSPViolationReportBody")}} interface indicates the line number in the source file that triggered the [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP) violation.
+
+Note that the browser extracts the value from _the global object_ of the file that triggered the violation.
+If the resource that triggers the CSP violation is not loaded, the value will be `null`.
+See {{domxref("CSPViolationReportBody.sourceFile")}} for more information.
+
+This property is most useful alongside {{domxref("CSPViolationReportBody.sourceFile")}} and {{domxref("CSPViolationReportBody.columnNumber")}}, as it provides the location of the line in that file and the column that resulted in a violation.
+
+## Value
+
+An integer containing the line number that triggered the violation, or `null`.
+
+## Examples
+
+### CSP inline script violation
+
+This example triggers a CSP violation using an inline script, and reports the violation using a {{domxref("ReportingObserver")}}.
+
+#### HTML
+
+The HTML file below uses the [`<meta>`](/en-US/docs/Web/HTML/Element/meta) element to set the {{httpheader('Content-Security-Policy')}} `default-src` to `self`, which allows scripts and other resources to be loaded from the same origin, but does not allow inline scripts to be executed.
+The document also includes an inline script, which should therefore trigger a CSP violation.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; report-to csp-endpoint" />
+    <meta
+      http-equiv="Reporting-Endpoints"
+      content="csp-endpoint='https://example.com/csp-reports'" />
+    <script src="main.js"></script>
+    <title>CSP: Violation due to inline script</title>
+  </head>
+  <body>
+    <h1>CSP: Violation due to inline script</h1>
+    <script>
+      const int = 4;
+    </script>
+  </body>
+</html>
+```
+
+#### JavaScript (main.js)
+
+The document above also loads the external script `main.js`, which is shown below.
+Because this is loaded from the same domain as the HTML, it is not blocked by the CSP.
+
+The script creates a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we get the body of the first entry of the reports array, and use it to log the file, line, and column of the violation to the console.
+
+```js
+// main.js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    const cspViolationBody = reports[0].body;
+    console.log(`sourceFile: ${cspViolationBody.sourceFile}`);
+    console.log(`lineNumber: ${cspViolationBody.lineNumber}`);
+    console.log(`columnNumber: ${cspViolationBody.columnNumber}`);
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the values of the first element.
+
+#### Results
+
+You can try this out using a [local server](/en-US/docs/Learn/Common_questions/Tools_and_setup/set_up_a_local_testing_server).
+Copy the above code into `test/index.html` and `test/main.js` and run the server in the root directory.
+Assuming the address of the local server is `http://127.0.0.1:9999`, you can then load the HTML file from `http://127.0.0.1:9999/test/` (or `http://127.0.0.1:9999/test/index.html`).
+
+With the above setup, the output of the log on Chrome is:
+
+```plain
+sourceFile: http://127.0.0.1:9999/test/
+lineNumber: 15
+columnNumber: 0
+```
+
+The result is similar for Firefox:
+
+```plain
+sourceFile: http://127.0.0.1:9999/test/
+lineNumber: 15
+columnNumber: 13
+```
+
+Note that the column number is different for the two browsers.
+Chrome always appears to report `0`.
+The value on Firefox represents the position of the first character after the end of the opening `<script>` element.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.lineNumber")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/originalpolicy/index.md b/files/en-us/web/api/cspviolationreportbody/originalpolicy/index.md
new file mode 100644
index 000000000000000..6c9eadf4066fac3
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/originalpolicy/index.md
@@ -0,0 +1,107 @@
+---
+title: "CSPViolationReportBody: originalPolicy property"
+short-title: originalPolicy
+slug: Web/API/CSPViolationReportBody/originalPolicy
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.originalPolicy
+---
+
+{{APIRef("Reporting API")}}
+
+The **`originalPolicy`** read-only property of the {{domxref("CSPViolationReportBody")}} interface is a string that represents the [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP) whose enforcement uncovered the violation.
+
+This is the string in the {{HTTPHeader("Content-Security-Policy")}} HTTP response header that contains the list of [directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#directives) and their values that make the CSP policy.
+Note that differs from the {{domxref("CSPViolationReportBody.effectiveDirective","effectiveDirective")}}, which is the specific directive that is effectively being violated (and which might not be explicitly listed in the policy if `default-src` is used).
+
+## Value
+
+A string representing the policy whose enforcement uncovered the violation.
+
+## Examples
+
+### CSP inline script violation
+
+This example triggers a CSP violation using an inline script, and reports the violation using a {{domxref("ReportingObserver")}}.
+In particular, it logs the `effectiveDirective` and the `originalPolicy`, making the difference clear.
+
+#### HTML
+
+The HTML file below uses the [`<meta>`](/en-US/docs/Web/HTML/Element/meta) element to set the {{httpheader('Content-Security-Policy')}} `default-src` to `self`, which allows scripts and other resources to be loaded from the same domain, but does not allow inline scripts to be executed.
+The document also includes an inline script, which should trigger a CSP violation.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; report-to csp-endpoint" />
+    <!-- This is the (original) CSP policy -->
+    <meta
+      http-equiv="Reporting-Endpoints"
+      content="csp-endpoint='https://example.com/csp-reports'" />
+    <script src="main.js"></script>
+    <title>CSP: Violation due to inline script</title>
+  </head>
+  <body>
+    <h1>CSP: Violation due to inline script</h1>
+    <script>
+      const int = 4;
+    </script>
+  </body>
+</html>
+```
+
+#### JavaScript (main.js)
+
+The document above also loads the external script `main.js`, which is shown below.
+Because this is loaded from the same domain as the HTML, it is not blocked by the CSP.
+
+The script creates a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we get the body of the first entry of the reports array, and use it to log the effectiveDirective and `originalPolicy` of the violation to the console.
+
+```js
+// main.js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    console.log(`effectiveDirective: ${reports[0].body.effectiveDirective}`);
+    // effectiveDirective: script-src-elem
+    console.log(`originalPolicy: ${reports[0].body.originalPolicy}`);
+    // originalPolicy: default-src 'self'; report-to csp-endpoint
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the values of the first element.
+
+#### Results
+
+The console output for the above code is:
+
+```plain
+effectiveDirective: script-src-elem
+originalPolicy: default-src 'self'; report-to csp-endpoint
+```
+
+Note that the `orginalPolicy` matches the `<meta>` content of the `Content-Security-Policy` directive in the HTML, and specifies that the policy is `self` by default (`default-src 'self'`).
+
+The `effectiveDirective` is `script-src-elem`, which specifies valid sources for JavaScript {{htmlelement("script")}} elements.
+This is the specific directive that has effectively been violated, even though `default-src` was set in the policy.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.originalPolicy")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/referrer/index.md b/files/en-us/web/api/cspviolationreportbody/referrer/index.md
new file mode 100644
index 000000000000000..f04a3924e4680bd
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/referrer/index.md
@@ -0,0 +1,121 @@
+---
+title: "CSPViolationReportBody: referrer property"
+short-title: referrer
+slug: Web/API/CSPViolationReportBody/referrer
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.referrer
+---
+
+{{APIRef("Reporting API")}}
+
+The **`referrer`** read-only property of the {{domxref("CSPViolationReportBody")}} interface is a string that represents the URL of the referring page of the resource who's [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP) was violated.
+
+The referrer is the page that caused the page with the CSP violation to be loaded. For example, if we followed a link to a page with a CSP violation, the `referrer` is the page that we navigated from.
+
+## Value
+
+A string representing the URL for the referrer of the page with the CSP violation, or null.
+
+Note that if the referrer is an HTTP(S) URL then any username, password or fragment is removed.
+If the URL scheme is not `http:` or `https:` then just the scheme is returned.
+
+## Examples
+
+### CSP inline script violation showing referrer
+
+This example triggers a CSP violation using an inline script, and reports the violation using a {{domxref("ReportingObserver")}}.
+We navigate to the page from another page and log the `referrer`, `documentURL`, and `blockedURL`.
+
+#### HTML
+
+First we define our referrer page `/bounce/index.html`.
+This page just contains a link to another page `../report_sample/index.html`.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  </head>
+  <body>
+    <ul>
+      <li><a href="../report_sample/">report sample</a></li>
+    </ul>
+  </body>
+</html>
+```
+
+The `../report_sample/index.html` HTML file is defined below.
+This uses the [`<meta>`](/en-US/docs/Web/HTML/Element/meta) element to set the {{httpheader('Content-Security-Policy')}} `script-src-elem` to `self`, which allows scripts to be loaded from the same domain, but does not allow inline scripts to be executed.
+The document also includes an inline script, which will trigger a CSP violation.
+
+```html
+<!doctype html>
+<!-- /report_sample/index.html -->
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="script-src-elem 'self' 'report-sample'" />
+    <script src="main.js"></script>
+  </head>
+  <body>
+    <script>
+      const int = 4;
+    </script>
+  </body>
+</html>
+```
+
+#### JavaScript (main.js)
+
+The report sample above also loads the external script `main.js`, which is shown below.
+Because this is loaded from the same domain as the HTML, it is not blocked by the CSP.
+
+The script creates a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we get the body of the first entry of the reports array, and use it to log the violation `documentURL`, `referrer`, and `blockedURL` to the console.
+
+```js
+// main.js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    console.log(`documentURL: ${reports[0].body.referrer}`);
+    console.log(`referrer: ${reports[0].body.referrer}`);
+    console.log(`blockedURL: ${reports[0].body.blockedURL}`);
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the values of the first element.
+
+#### Results
+
+The console output for the above code would look a bit like that below (the site will depend on how the pages are served):
+
+```plain
+documentURL: http://127.0.0.1:9999/report_sample/
+referrer: http://127.0.0.1:9999/bounce/
+blockedURL: inline
+```
+
+Note that `referrer` is the page we navigated from, `documentURL` is the page with the CSP violation, and `blockedURL` is not an URL at all in this case, but an indication that the violation was caused by an unsafe inline script.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.referrer")}}
+- {{httpheader("Referer")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/sample/index.md b/files/en-us/web/api/cspviolationreportbody/sample/index.md
new file mode 100644
index 000000000000000..8dd858e9fbc3b5f
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/sample/index.md
@@ -0,0 +1,103 @@
+---
+title: "CSPViolationReportBody: sample property"
+short-title: sample
+slug: Web/API/CSPViolationReportBody/sample
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.sample
+---
+
+{{APIRef("Reporting API")}}
+
+The **`sample`** read-only property of the {{domxref("CSPViolationReportBody")}} interface is a string that contains a part of the resource that violated the [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP).
+
+This sample is usually the first 40 characters of the inline script, event handler, or style that violated a CSP restriction.
+If not populated it is the empty string `""`.
+
+Note that this is only populated when attempting to load _inline_ scripts, event handlers, or styles that violate CSP [`script-src*`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#script-src) and [`style-src*`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#style-src) rules — external resources that violate the CSP will not generate a sample.
+In addition, a sample is only included if the `Content-Security-Policy` directive that was violated also contains the [`'report-sample'`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#report-sample) keyword.
+
+> [!NOTE] Violation reports should be considered attacker-controlled data.
+> The content of this field _in particular_ should be sanitized before storing or rendering.
+
+## Value
+
+A string containing a sample of the inline resource that violated the CSP, usually the first 40 characters, or the empty string.
+
+## Examples
+
+### CSP inline script violation
+
+This example triggers a CSP violation using an inline script, and reports the violation using a {{domxref("ReportingObserver")}}.
+We also add `'report-sample'` to the CSP in order to populate a `sample` in the body.
+
+#### HTML
+
+The HTML file below uses the [`<meta>`](/en-US/docs/Web/HTML/Element/meta) element to set the {{httpheader('Content-Security-Policy')}} `script-src-elem` to `self`, which allows scripts to be loaded from the same domain, but does not allow inline scripts to be executed.
+We include `'report-sample'` in the directive so that a sample is generated.
+The document also includes an inline script, which should trigger a CSP violation.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="script-src-elem 'self' 'report-sample'" />
+    <script src="main.js"></script>
+    <title>CSP: Violation due to inline script</title>
+  </head>
+  <body>
+    <h1>CSP: Violation due to inline script</h1>
+    <script>
+      const int = 4;
+    </script>
+  </body>
+</html>
+```
+
+#### JavaScript (main.js)
+
+The document above also loads the external script `main.js`, which is shown below.
+Because this is loaded from the same domain as the HTML, it is not blocked by the CSP.
+
+The script creates a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we get the body of the first entry of the reports array, and use it to log the violation `sample` to the console.
+
+```js
+// main.js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    console.log(`sample: ${reports[0].body.sample}`);
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the values of the first element.
+
+#### Results
+
+The console output for the above code is:
+
+```plain
+sample: const int = 4;
+```
+
+In this case the sample contains the entire content of the inline script.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.sample")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/sourcefile/index.md b/files/en-us/web/api/cspviolationreportbody/sourcefile/index.md
new file mode 100644
index 000000000000000..d410b432654c4a8
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/sourcefile/index.md
@@ -0,0 +1,123 @@
+---
+title: "CSPViolationReportBody: sourceFile property"
+short-title: sourceFile
+slug: Web/API/CSPViolationReportBody/sourceFile
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.sourceFile
+---
+
+{{APIRef("Reporting API")}}
+
+The **`sourceFile`** read-only property of the {{domxref("CSPViolationReportBody")}} interface indicates the URL of the source file that violated the [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP).
+
+For a violation triggered by the use of an inline script, `sourceFile` is the URL of the current document.
+Similarly, if a document successfully loads a script that then violates the document CSP, the `sourceFile` is the URL of the script.
+
+Note however that if a document with a CSP that blocks external resources attempts to load an external resource, `sourceFile` will be `null`.
+This is because the browser extracts the value from _the global object_ of the file that triggered the violation.
+Because of the CSP restriction the external resource is never loaded, and therefore has no corresponding global object.
+
+This property is most useful alongside {{domxref("CSPViolationReportBody.lineNumber")}} and {{domxref("CSPViolationReportBody.columnNumber")}}, which provide the location within the file that resulted in a violation.
+
+## Value
+
+A string containing the URL of the file that triggered the violation, or `null`.
+
+## Examples
+
+### CSP inline script violation
+
+This example triggers a CSP violation using an inline script, and reports the violation using a {{domxref("ReportingObserver")}}.
+
+#### HTML
+
+The HTML file below uses the [`<meta>`](/en-US/docs/Web/HTML/Element/meta) element to set the {{httpheader('Content-Security-Policy')}} `default-src` to `self`, which allows scripts and other resources to be loaded from the same origin, but does not allow inline scripts to be executed.
+The document also includes an inline script, which should therefore trigger a CSP violation.
+
+```html
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self'; report-to csp-endpoint" />
+    <meta
+      http-equiv="Reporting-Endpoints"
+      content="csp-endpoint='https://example.com/csp-reports'" />
+    <script src="main.js"></script>
+    <title>CSP: Violation due to inline script</title>
+  </head>
+  <body>
+    <h1>CSP: Violation due to inline script</h1>
+    <script>
+      const int = 4;
+    </script>
+  </body>
+</html>
+```
+
+#### JavaScript (main.js)
+
+The document above also loads the external script `main.js`, which is shown below.
+Because this is loaded from the same domain as the HTML, it is not blocked by the CSP.
+
+The script creates a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we get the body of the first entry of the reports array, and use it to log the file, line, and column of the violation to the console.
+
+```js
+// main.js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    const cspViolationBody = reports[0].body;
+    console.log(`sourceFile: ${cspViolationBody.sourceFile}`);
+    console.log(`lineNumber: ${cspViolationBody.lineNumber}`);
+    console.log(`columnNumber: ${cspViolationBody.columnNumber}`);
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the values of the first element.
+
+#### Results
+
+You can try this out using a [local server](/en-US/docs/Learn/Common_questions/Tools_and_setup/set_up_a_local_testing_server).
+Copy the above code into `test/index.html` and `test/main.js` and run the server in the root directory.
+Assuming the address of the local server is `http://127.0.0.1:9999`, you can then load the HTML file from `http://127.0.0.1:9999/test/` (or `http://127.0.0.1:9999/test/index.html`).
+
+With the above setup, the output of the log on Chrome is:
+
+```plain
+sourceFile: http://127.0.0.1:9999/test/
+lineNumber: 15
+columnNumber: 0
+```
+
+The result is similar for Firefox:
+
+```plain
+sourceFile: http://127.0.0.1:9999/test/
+lineNumber: 15
+columnNumber: 13
+```
+
+Note that the column number is different for the two browsers.
+Chrome always appears to report `0`.
+The value on Firefox represents the position of the first character after the end of the opening `<script>` element.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.sourceFile")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/statuscode/index.md b/files/en-us/web/api/cspviolationreportbody/statuscode/index.md
new file mode 100644
index 000000000000000..845e06a79b8348d
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/statuscode/index.md
@@ -0,0 +1,49 @@
+---
+title: "CSPViolationReportBody: statusCode property"
+short-title: statusCode
+slug: Web/API/CSPViolationReportBody/statusCode
+page-type: web-api-instance-property
+browser-compat: api.CSPViolationReportBody.statusCode
+---
+
+{{APIRef("Reporting API")}}
+
+The **`statusCode`** read-only property of the {{domxref("CSPViolationReportBody")}} interface is a number representing the [HTTP status code](/en-US/docs/Web/HTTP/Status) of the response to the request that triggered a [Content Security Policy (CSP)](/en-US/docs/Web/HTTP/CSP) violation (when loading a window or worker).
+
+## Value
+
+A number representing the HTTP status code of the response to the request that triggered the CSP violation.
+
+## Examples
+
+In this example we create a new {{domxref("ReportingObserver")}} to observe content violation reports of type `"csp-violation"`.
+Each time the callback function is invoked, we log the status code for the first entry of the reports array.
+
+```js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    console.log(`statusCode: ${reports[0].body.statusCode}`);
+    // For example: 200
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+Note that while there might be multiple reports in the returned array, for brevity we only log the status code of the first report.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("SecurityPolicyViolationEvent.statusCode")}}
diff --git a/files/en-us/web/api/cspviolationreportbody/tojson/index.md b/files/en-us/web/api/cspviolationreportbody/tojson/index.md
new file mode 100644
index 000000000000000..67a8f301062791e
--- /dev/null
+++ b/files/en-us/web/api/cspviolationreportbody/tojson/index.md
@@ -0,0 +1,64 @@
+---
+title: "CSPViolationReportBody: toJSON() method"
+short-title: toJSON()
+slug: Web/API/CSPViolationReportBody/toJSON
+page-type: web-api-instance-method
+browser-compat: api.CSPViolationReportBody.toJSON
+---
+
+{{APIRef("Reporting API")}}
+
+The **`toJSON()`** method of the {{domxref("CSPViolationReportBody")}} interface is a _serializer_, which returns a JSON representation of the `CSPViolationReportBody` object.
+
+The existence of a `toJSON()` method allows `CSPViolationReportBody` objects to be converted to a string using the {{jsxref("JSON.stringify()")}} method.
+
+This is used by the reporting API when creating a serialized version of a violation report to send to a reporting endpoint.
+
+## Syntax
+
+```js-nolint
+toJSON()
+```
+
+### Parameters
+
+None.
+
+### Return value
+
+A JSON object that is the serialization of the {{domxref("CSPViolationReportBody")}} object.
+
+## Examples
+
+In this example we create a new {{domxref("ReportingObserver")}} to observe CSP violation reports, then return a JSON representation of the first entry.
+
+```js
+const observer = new ReportingObserver(
+  (reports, observer) => {
+    const firstReport = reports[0];
+    // Log JSON object
+    console.log(firstReport.toJSON());
+    // Log JSON object as a string
+    console.log(JSON.stringify(firstReport));
+  },
+  {
+    types: ["csp-violation"],
+    buffered: true,
+  },
+);
+
+observer.observe();
+```
+
+We call `toJSON()` on the `firstReport`, which is a {{domxref("Report")}} instance, which in turn results in the `toJSON()` defined in this interface being called to serialize the `body` of the report.
+
+For the purpose of demonstration we also call `JSON.stringify()` on `firstReport` to create a string containing the JSON data.
+When sending or storing report information it is more common to do this than use `toJSON()` directly.
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
diff --git a/files/en-us/web/api/reporting_api/index.md b/files/en-us/web/api/reporting_api/index.md
index a1f05bbbd5d6720..713dfb4a4f36324 100644
--- a/files/en-us/web/api/reporting_api/index.md
+++ b/files/en-us/web/api/reporting_api/index.md
@@ -4,7 +4,11 @@ slug: Web/API/Reporting_API
 page-type: web-api-overview
 status:
   - experimental
-spec-urls: https://w3c.github.io/reporting/#intro
+spec-urls:
+  - https://w3c.github.io/reporting/#intro
+  - https://w3c.github.io/webappsec-csp/#cspviolationreportbody
+  - https://wicg.github.io/deprecation-reporting/#deprecationreportbody
+  - https://wicg.github.io/intervention-reporting/#intervention-report
 ---
 
 {{SeeCompatTable}}{{DefaultAPISidebar("Reporting API")}}
@@ -96,7 +100,7 @@ These HTTP response headers define the endpoints where reports are sent.
 
 - {{HTTPHeader("Reporting-Endpoints")}}
   - : Sets the name and URL of reporting endpoints.
-    These can be used in the `report-to` directive, which may be used with a number of HTTP headers including {{httpheader("Content-Security-Policy")}}.
+    These endpoints can be used in the `report-to` directive, which may be used with a number of HTTP headers including {{httpheader("Content-Security-Policy")}} and or {{HTTPHeader("Content-Security-Policy-Report-Only")}}.
 - {{HTTPHeader("Report-To")}} {{deprecated_inline}}
   - : Sets the name and URL of reporting endpoint groups, which may be used with a number of HTTP headers including `Content-Security-Policy`.
 
@@ -152,12 +156,9 @@ This causes a deprecation report to be generated; because of the event handler w
 
 ## Browser compatibility
 
-Support is at an early stage right now. Firefox supports the JavaScript API and the `Report-To` header behind preferences:
+The API is supported by Chromium browsers, and by Firefox behind a preference (`dom.reporting.enabled`).
 
-- JavaScript API: `dom.reporting.enabled` (enabled in nightly only)
-- HTTP header: `dom.reporting.header.enabled`
-
-Chrome is also working on an implementation: [information about Chrome implementation](https://developer.chrome.com/docs/capabilities/web-apis/reporting-api).
+See the specific interfaces for more detailed support information.
 
 ## See also
 
diff --git a/files/en-us/web/api/securitypolicyviolationevent/blockeduri/index.md b/files/en-us/web/api/securitypolicyviolationevent/blockeduri/index.md
index c5dc3882bd314a4..31c398e425d3967 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/blockeduri/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/blockeduri/index.md
@@ -32,4 +32,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.blockedURL`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.blockedurl)
+- {{domxref("CSPViolationReportBody.blockedURL")}}
diff --git a/files/en-us/web/api/securitypolicyviolationevent/columnnumber/index.md b/files/en-us/web/api/securitypolicyviolationevent/columnnumber/index.md
index 657bd743da1e374..673bc60df664614 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/columnnumber/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/columnnumber/index.md
@@ -32,4 +32,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.columnNumber`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.columnnumber)
+- {{domxref("CSPViolationReportBody.columnNumber")}}
diff --git a/files/en-us/web/api/securitypolicyviolationevent/disposition/index.md b/files/en-us/web/api/securitypolicyviolationevent/disposition/index.md
index 54bdd24fa6d5182..f4e1c7de465b253 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/disposition/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/disposition/index.md
@@ -37,4 +37,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.disposition`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.disposition)
+- {{domxref("CSPViolationReportBody.disposition")}}
diff --git a/files/en-us/web/api/securitypolicyviolationevent/documenturi/index.md b/files/en-us/web/api/securitypolicyviolationevent/documenturi/index.md
index ca2a3256e748ead..1e3d7c50a7ef394 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/documenturi/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/documenturi/index.md
@@ -32,4 +32,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.documentURL`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.documenturl)
+- {{domxref("CSPViolationReportBody.documentURL")}}
diff --git a/files/en-us/web/api/securitypolicyviolationevent/effectivedirective/index.md b/files/en-us/web/api/securitypolicyviolationevent/effectivedirective/index.md
index 28411c3f368a44f..772d41853d0e871 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/effectivedirective/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/effectivedirective/index.md
@@ -34,4 +34,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.effectiveDirective`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.effectivedirective)
+- {{domxref("CSPViolationReportBody.effectiveDirective")}}
diff --git a/files/en-us/web/api/securitypolicyviolationevent/linenumber/index.md b/files/en-us/web/api/securitypolicyviolationevent/linenumber/index.md
index 26eaf08f16d0f46..a25e35a72d11479 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/linenumber/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/linenumber/index.md
@@ -32,4 +32,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.lineNumber`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.linenumber)
+- {{domxref("CSPViolationReportBody.lineNumber")}}
diff --git a/files/en-us/web/api/securitypolicyviolationevent/originalpolicy/index.md b/files/en-us/web/api/securitypolicyviolationevent/originalpolicy/index.md
index 88f18f7bb93f6a1..ed4f14fc2e6c5ac 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/originalpolicy/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/originalpolicy/index.md
@@ -34,4 +34,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.originalPolicy`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.originalpolicy)
+- {{domxref("CSPViolationReportBody.originalPolicy")}}
diff --git a/files/en-us/web/api/securitypolicyviolationevent/referrer/index.md b/files/en-us/web/api/securitypolicyviolationevent/referrer/index.md
index b31ca1f0687ac88..ef534f31c43dae8 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/referrer/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/referrer/index.md
@@ -33,4 +33,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.referrer`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.referrer)
+- {{domxref("CSPViolationReportBody.referrer")}}
diff --git a/files/en-us/web/api/securitypolicyviolationevent/sample/index.md b/files/en-us/web/api/securitypolicyviolationevent/sample/index.md
index d43329a64ed7721..b5558e4cd7cd217 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/sample/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/sample/index.md
@@ -38,4 +38,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.sample`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.sample)
+- {{domxref("CSPViolationReportBody.sample")}}
diff --git a/files/en-us/web/api/securitypolicyviolationevent/sourcefile/index.md b/files/en-us/web/api/securitypolicyviolationevent/sourcefile/index.md
index 6f101cc7f4a11d8..88cabf7f60240e3 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/sourcefile/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/sourcefile/index.md
@@ -34,4 +34,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.sourceFile`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.sourcefile)
+- {{domxref("CSPViolationReportBody.sourceFile")}}
diff --git a/files/en-us/web/api/securitypolicyviolationevent/statuscode/index.md b/files/en-us/web/api/securitypolicyviolationevent/statuscode/index.md
index e99130c29e4b0a9..05add5bab8a4bb8 100644
--- a/files/en-us/web/api/securitypolicyviolationevent/statuscode/index.md
+++ b/files/en-us/web/api/securitypolicyviolationevent/statuscode/index.md
@@ -32,4 +32,4 @@ document.addEventListener("securitypolicyviolation", (e) => {
 
 ## See also
 
-- [`CSPViolationReportBody.statusCode`](/en-US/docs/Web/API/CSPViolationReportBody#cspviolationreportbody.statuscode)
+- {{domxref("CSPViolationReportBody.statusCode")}}