Use report-to instead of the deprecated report-uri

[sandstrom]

The new Reporting API is not supported by all browsers yet, so this isn't something we need to move on for at least another year or so. As of November 2020 it's not yet supported by Firefox or Safari.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to

1. At some point we'll want to add support for report-to in addition to report-uri. With both are present and the browser support both, report-to takes precedence.
2. Separately, when all browsers supported by ember has support for report-to we'll want to drop the report-uri value.

Opened since @jelhan asked me to: #148

Background

• https://developers.google.com/web/updates/2018/09/reportingapi
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
• https://www.w3.org/TR/CSP3/

[jelhan]

Thanks a lot for opening this issue.

1. At some point we'll want to add support for report-to in addition to report-uri. With both are present and the browser support both, report-to takes precedence.
2. Separately, when all browsers supported by ember has support for report-to we'll want to drop the report-uri value.

Sounds like a plan. Let's do it. 😄

I see two parts of the addon being affected by that change:

1. report-uri option of csp-headers Ember CLI command: ember csp-headers --report-uri http://examples.com https://github.com/rwjblue/ember-cli-content-security-policy/blob/414cf2dc89d9b7f547a1f63ef90c7f45d91b227d/lib/commands.js#L23-L27
2. report-uri directive injected if using development server to report CSP violations on the terminal: https://github.com/rwjblue/ember-cli-content-security-policy/blob/2e2e7254e6c700d226b7194a3a1ea05f7b73ba4d/index.js#L150-L162

For the CLI command I tend toward renaming it to report-to and adding report-uri as an alias until we reach phase 2.

A pull request implementing this is welcome.