Hi there,
We have to support the newer report-to CSP directive in order to pass our annual security audits without having to do extra administrative work tracking ‘false positives’. We’re doing that now by monkey patching ActionDispatch::ContentSecurityPolicy and adding Reporting-Endpoints headers to all our responses. I noticed back in 2018 Nu Html Checker (W3C) change report_uri to report_to · Issue #33561 · rails/rails · GitHub we decided not to implement report-to but it looks like most browsers except firefox support this now. Looks like CSP level 3 is still a draft according to this Web Application Security Working Group Charter
I’m not sure how the Rails team decides when to adopt, but looks like this one is here to stay since 7 years later from the last time somebody asked about it, it is still a thing, and I don’t think it would be much work. I’d be happy to attempt a PR if there was interest in adding support for this specific directive. Please share your thoughts here.