Wt

The Content-Security-Policy is a strict headers, and may break existing behavior.
Existing clients may have a hard time enabling it in an existing code-base due to certain design/architectural approaches.

To this end the Content-Security-Policy-Report-Only may come in handy.
This header essentially allows developers to "debug" CSP.

As we now offer CSP (but not enable it by default). We should also support CSP-RO. This header will function the exact same as CSP does, but does not yet enforce it on the page. The browser will generate all errors, but does not let them affect the page. Rather, those will be sent to a certain endpoint.

The header looks like:

Content-Security-Policy-Report-Only: <policy-directive>; …; <policy-directive>; report-to <endpoint-name>

Here, the <policy-directive> is the same as with the regular CSP header. Only the report-to <endpoint-name> is added. This is the endpoint to which the reports are sent.

Wt should support this such that a csp-debug configuration can be enabled. This will render the Content-Security-Policy-Report-Only header, and not the Content-Security-Policy header.
Additionally, it will set up an endpoint at csp-debug-endpoint (defaulting to e.g. csp-report-endpoint).

This will be a WServer resource. It reads any incoming reports and logs them.