feat(csp): add support for Content-Security-Policy-Report-Only header

[Gonzo17]

Types of changes

• Bug fix (a non-breaking change which fixes an issue)
• New feature (a non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Description

Support for Content-Security-Policy-Report-Only header, either globally or per route.

Resolves #605

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes (if not applicable, please state why)

[vercel]

@Gonzo17 is attempting to deploy a commit to the Baroshem's projects Team on Vercel.

A member of the Team first needs to authorize it.

[Baroshem]

Hey Buddy,

Thanks for creating this issue. It is clear that a lot of work was done (and a good work)!

But I am not convinced to this approach with passing report-only in the headers for CSP.

The report only is a completely different header and passing it inside CSPay cause unwanted confusion (as currently everything passed to security.headers.contentSecurityPolicy is converted to native browser headers). This feature will break this stability.

I think the initial solution with passing it as a separate config option would be better as it does not interfere with the existing native headers :)

Also, I highly recommend you to check out this PR -> nuxt/nuxt#32242

Feel free to contribute that change there as well :)

[Gonzo17]

Hey Buddy,

Thanks for creating this issue. It is clear that a lot of work was done (and a good work)!

But I am not convinced to this approach with passing report-only in the headers for CSP.

The report only is a completely different header and passing it inside CSPay cause unwanted confusion (as currently everything passed to security.headers.contentSecurityPolicy is converted to native browser headers). This feature will break this stability.

Hey! Thank you for your feedback. :) I'm totally fine with adjusting, I understand your points!

I think the initial solution with passing it as a separate config option would be better as it does not interfere with the existing native headers :)

I'll update the PR soon. :)

Also, I highly recommend you to check out this PR -> nuxt/nuxt#32242

Feel free to contribute that change there as well :)

Oh that's interesting :) Yes, I'd like to do that after finishing this PR!

[Gonzo17]

I've pushed the changes, please have a look :)
I also noticed that the FAQ part about CSP Report-Only is redundant now, so we might as well remove it. Just kept it in and updated it accordingly for now.

[Baroshem]

Great work! I approve it. Let's wait for few more bugs/features so that I could release a next minor version :)