Why Can't I Set Both Content-Security-Policy + Content-Security-Policy-Report-Only Headers?

Rails CSP API doesn’t allow you to use both Content-Security-Policy and Content-Security-Policy-Report-Only headers together.

def header_name(request)
  if request.content_security_policy_report_only
    ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
  else
    ActionDispatch::Constants::CONTENT_SECURITY_POLICY
  end
end

Source: GitHub

As per the MDN documentation for the Content-Security-Policy-Report-Only header:

You can use this to iteratively work on your content security policy. You observe how your site behaves, watching for violation reports, then choose the desired policy enforced by the Content-Security-Policy header.

What if I’d like to watch for violations, at the same time enforce a basic set of policies, using the Content-Security-Policy header? Then as I discover new violations, we can either fix them or add new policies to the existing one?

As things stand now, I can only set one of the two headers. Is it not recommended to use both at the same time?

Prior Discussion:

• Extend Content Security Policy DSL to support both enforce and report-only policies at the same time.
• Unable to set both Content-Security-Policy and Content-Security-Policy-Report-Only headers with current DSL. · Issue #40452 · rails/rails · GitHub
• https://github.com/rails/rails/pull/40525

You can set both Content-Security-Policy and Content-Security-Policy-Report-Only headers simultaneously. The Content-Security-Policy header enforces the security policy, while the Content-Security-Policy-Report-Only header allows you to monitor violations without blocking content, helping you fine-tune your policy without disrupting users.

Did anyone found a solution for that?

I suppose I can add manually the Content-Security-Policy-Report-Only header in a rack middleware, but then I would need to have access to the exact same nonce if some policies use a nonce.