Unless I’m mistaken, the current DSL for managing the Content Security Policy doesn’t appear to support producing both headers at the same time. I believe earlier CSP specifications, if both headers were present, instructed the user agent to ignore the report-only policy. This is no longer the case with the CSP2 recommendation, Content Security Policy Level 2, as it’s a great way to test and migrate towards a stricter policy.
A server MAY cause user agents to monitor one policy while enforcing another policy by returning both
[Content-Security-Policy](https://www.w3.org/TR/CSP2/#content_security_policy)and[Content-Security-Policy-Report-Only](https://www.w3.org/TR/CSP2/#content_security_policy_report_only)header fields. For example, if a server operator may wish to enforce one policy but experiment with a stricter policy, she can monitor the stricter policy while enforcing the original policy. Once the server operator is satisfied that the stricter policy does not break the web application, the server operator can start enforcing the stricter policy.
I understand the behaviour of the content_security_policy_report_only configuration is to switch the policy to the report-only header. I’d like to attempt some work to update the DSL to accommodate the definition of both policies side-by-side. Is there community support for this?
I acknowledge I could achieve what I want via custom headers (with an already serialised value), but I’d like to see the DSL be of greater use.