Is there any appetite for accepting a small patch to the Content Security Policy DSL to support the report-to directive?
There was previous discussion to replace report-uri, https://github.com/rails/rails/issues/33561. I agree with the reason for that issue’s closure, CSP3 is still only in working draft status and it shouldn’t replace report-uri yet. Is there opposition to a simple addition?
It would be left to the user to understand the interaction between report-uri and report-to. The spec suggests you use both if you want to leverage the Reporting API, https://www.w3.org/TR/CSP3/#directive-report-uri.