The report-to directive works with reporting endpoints (from Reporting). The endpoints need to be configured through another header (Reporting-Endpoints, previously Report-To). This PR only adds the CSP directive; this enables users to migrate to the new reporting API if they provide the endpoints (via a Reporting-Endpoints header) themselves.
I did not deprecate the report-uri directive because browsers ignore it when a report-to directive is present and the browser supports it. Not all (major) browsers support this directive currently, so report-uri is still usefull for reporting in all browsers.
This PR extends
DirectiveSet
with thereport-to
directive. It is part of CSP Level 3 and intended to replace the deprecatedreport-uri
directive.The
report-to
directive works with reporting endpoints (from Reporting). The endpoints need to be configured through another header (Reporting-Endpoints
, previouslyReport-To
). This PR only adds the CSP directive; this enables users to migrate to the new reporting API if they provide the endpoints (via aReporting-Endpoints
header) themselves.I did not deprecate the
report-uri
directive because browsers ignore it when areport-to
directive is present and the browser supports it. Not all (major) browsers support this directive currently, soreport-uri
is still usefull for reporting in all browsers.Fixes #341