Support for Reporting API and NEL header

[arxeiss]

You already support the report-to attribute at CSP. However, this attribute accepts key from Report-To header like shown in this site in examples: developer.mozilla.org.

What do you think about adding the possibility to set the Report-To standalone header as well? It can report more issues with your site, see https://docs.report-uri.com/setup/reporting-api/.

And maybe add NEL Header too? This is not really security header but can help with debugging bad HTTPS certificate etc https://report-uri.com/products/network_error_logging

What do you think about those headers? At least Report-To header could be useful, otherwise, the report-to attribute at CSP is useless.

[bepsvpt]

Hi @arxeiss,

Thanks for suggestion. I will add report-to header.

NEL Header is still in Editor's Draft(https://w3c.github.io/network-error-logging/). I think we should at least wait for it become Working Draft.

W3C Maturity Levels: https://www.w3.org/2019/Process-20190301/#maturity-levels

[arxeiss]

NEL Header is already supported by Chrome on all platforms including Android, but I understand your opinion about adding it when it becomes working draft.