feat: report-to

[sericaia]

This is work in progress. report-to aims to replace report-uri in CSP 3 but it only has support in certain browsers (chrome and android > v70).

Basically what is missing from this PR is a rule in Joi that supports the desired behaviour and add it in schema.

So we want to have the following different rules:

• use report-only only when report-uri is present (as we currently have):
  schema.with('reportOnly', 'reportUri');

• same as before, but for report-to (when reportTo replaces reportUri):
  schema.with('reportOnly', 'reportTo');

• we can also have both reportUri and reportTo and the browser will decide which one to use

Something like schema.with('reportOnly', ['reportUri', 'reportTo']); or using object.or schema.or(schema.with('reportOnly', 'reportUri'), schema.with('reportOnly', 'reportTo'))

I couldn't find a way to properly do it in Joi. @nlf do you know if it is possible in any way?

[sericaia]

There is also a dependency from report-to CSP property and Report-to header, but I don't think we can cover it in this module... (it is a bit different to what we have with content-security-policy-report-only header)

[nlf]

so the issue here is that the reportOnly option requires one or both of reportUri and reportTo?

also re: the Report-To header, in my opinion if that header is used for CSP purposes we should probably support it..

[sericaia]

yes ;) is there any way I am not seeing to do it?

you mean supporting Report-to header in Blankie? isnt it a bit out of scope since it is not under CSP header?

[maharjanraj]

Is this repo no longer maintained?