ContentSecurityPolicyConfig: Add Report-To Header

[bahuma20]

Expected Behavior

Add configuration option for the Report-to HTTP-header to the CspSecurityPolicyConfig.

Example how this could look like:

public SecurityFilterChain securityFilterChain(HttpSecurity http) {
  return http.headers(headers -> 
    headers.contentSecurityPolicy(csp ->
      csp
        .reportOnly()
        .reportingEndpoints("csp-report-endpoint=\"https://example.com/csp-reports\"")
        .policyDirectives("default-src 'self'; report-to csp-report-endpoint")
    )
  ).build();
}

Current Behavior
To get the same thing to work right now, the code looks like this:

public SecurityFilterChain securityFilterChain(HttpSecurity http) {
  return http.headers(headers -> headers
    .contentSecurityPolicy(csp ->csp
      .reportOnly()
      .policyDirectives("default-src 'self'; report-to csp-report-endpoint")
    )
    .addHeaderWriter((request, response) -> response.setHeader("Reporting-Endpoints", "csp-report-endpoint=\"https://example.com/csp-reports\""))
  ).build();
}

This is unnecessary complex.

Context
The Reporting-Endpoints HTTP-header and report-to directive is the sucessor to the report-uri directive which is deprecated.

So everyone implementing a CSP with reporting should set the Reporting-Endpoints HTTP-header.

See https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP#violation_reporting for details.

Alternative Suggestion: Full-blown API that allows building the policy and headers declaratively, with support for configuration via properties. (So instead of just specifying a string with a policy, you would use a typed Java api which declares the directives to add, what values those directives have, and where to report to. There could also be support for nonces)

[therepanic]

Thanks for reporting, Max @bahuma20. Since I don't see any obstacles to adding another header included in the CSP and consider it justified, I attached PR: gh-18833