Why Can't I Set Both Content-Security-Policy + Content-Security-Policy-Report-Only Headers?

Rails CSP API doesn’t allow you to use both Content-Security-Policy and Content-Security-Policy-Report-Only headers together.

def header_name(request)
  if request.content_security_policy_report_only
    ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
  else
    ActionDispatch::Constants::CONTENT_SECURITY_POLICY
  end
end

Source: GitHub

As per the MDN documentation for the Content-Security-Policy-Report-Only header:

You can use this to iteratively work on your content security policy. You observe how your site behaves, watching for violation reports, then choose the desired policy enforced by the Content-Security-Policy header.

What if I’d like to watch for violations, at the same time enforce a basic set of policies, using the Content-Security-Policy header? Then as I discover new violations, we can either fix them or add new policies to the existing one?

As things stand now, I can only set one of the two headers. Is it not recommended to use both at the same time?

Prior Discussion: