Add report-to CSP directive

[loremotta33]

I added the secure_headers gem to my project as we needed to implement CSP. When configuring the policy, I was going to add the report-to directive as it seems that report-uri has been deprecated. I noticed that the gem does not have support for this configuration so decided to add it.

All PRs:

• [x] Has tests
• [x] Documentation updated

Adding a new CSP directive

Is the directive supported by any user agent? If so, which?

Yes, it's supported by all main browsers except Firefox.

What does it do?

It's used to indicate the name of the endpoint that the browser should use for reporting CSP violations. Intends to replace deprecated report-uri directive. Browsers should fallback tho report-uri if report-to not supported, so it's recommended to set both directives.

• What are the valid values for the directive?

An array of endpoints is supported. But if more than one endpoint is provided, browser will default to use the first one. I added it to report-uri to preserve the scheme, as as far as I checked, there is no restriction on the naming of the endpoint.

This directive is directly tied to the Reporting-Endpoints HTTP header, at the moment on my project I'm manually adding the Reporting-Endpoints header through the Rails default_headers configuration, I do not know if managing this header through the gem is something on the scope of the gem.

Here is the specification for report-to.

[rzhade3]

Hi @loremotta33, thanks so much for this PR! This looks like a worthy change to upstream, however I just have some confusion around how exactly we should support this directive in the library.

It looks like to support this directive, we'll also need to support the Report-Endpoints header? However, this header is not supported in Safari or Opera? I'm slightly worried about causing confusion amongst users of our library due to incompatibility in these browsers; although ultimately given the status of Report-To as an accepted CSP directive, this is a good change.

[loremotta33]

That's a great catch @rzhade3, I have not noticed that the report-to browser compatibility table is different than the Reporting-Endpoints one.

I'm not sure if the tables are correct or up to date though, as I just downloaded the latest Opera version (114.0.5282.115), and it has used the Endpoint defined on the Reporting-Endpoints header to report the CSP violation (screenshot attached).

If you think it makes sense to add support to the Reporting-Endpoints header through the gem let me know and I can take a look to the code to do so!

I thought of initially adding support for it on this Pull Request but I was not sure if it was something that would be wanted or not for the gem

[rzhade3]

@loremotta33 Thanks for doing that research! Given that it is strictly needed to implement Reporting-Endpoints in order for report-to to be respected by a browser, let's try and add that to this PR! Can you take a look at whether you're able to implement that?

[loremotta33]

@rzhade3 , sorry for the delay on this, I have been pretty busy the last days.

I just pushed a commit to add Reporting-Endpoints support, did some testings myself and I think that it's working as expected, but let me know if some extra work is needed for this!