report-to directive not handled well by Chrome 76

[iangcarroll]

Chrome 76 seems to not handle how csp-builder does report-to; when a report URI is set, Chrome does not send any CSP reports with v2.3.1. Only when the report-to directive is removed does Chrome send reports correctly (presumably to report-uri).

It seems like you can't just pass a normal URL as a report-to value. Did the CSP spec change between implementation and now?

[paragonie-scott]

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to

We're in a weird limbo state with CSP.

[iangcarroll]

Gotcha. Unfortunately this means we need to downgrade to v2.1.0 in order to use this library, since we need reporting to work. Is there a quick way to get a newer version to stop sending report-to?

I'd be happy to try and send a quick PR to fork out report-to as a different setting from report-uri, but I'll need to get approval from my employer first.