Unless I'm mistaken, the current DSL for managing the Content Security Policy doesn't appear to support producing both headers at the same time. I believe earlier CSP specifications, if both headers were present, instructed the user agent to ignore the report-only policy. This is no longer the case with the CSP2 recommendation,
https://www.w3.org/TR/CSP2/#processing-model, as it's a great way to test and migrate towards a stricter policy.
A server MAY cause user agents to monitor one policy while enforcing
another policy by returning both
Content-Security-Policy
and
Content-Security-Policy-Report-Only
header fields.
For example, if a server operator may wish to
enforce one policy but
experiment with a stricter policy, she can monitor the stricter policy while
enforcing the original policy. Once the server operator is satisfied that
the stricter policy does not break the web application, the server operator
can start enforcing the stricter policy.
I understand the behaviour of the content_security_policy_report_only configuration is to switch the policy to the report-only header. I'd like to attempt some work to update the DSL to accommodate the definition of both policies side-by-side. Is there community support for this?
I acknowledge I could achieve what I want via custom headers (with an already serialised value), but I'd like to see the DSL be of greater use.