Add support for W3C Reporting API

Implements support for the W3C Reporting API (https://w3c.github.io/reporting/)
to enable standardized browser reporting for security violations and other issues.

Changes include:

1. New Reporting-Endpoints Header:
   - Added ReportingEndpoints header class to configure named reporting endpoints
   - Accepts hash configuration: { default: "https://example.com/reports" }
   - Generates header: Reporting-Endpoints: default="https://example.com/reports"

2. CSP report-to Directive:
   - Added report_to directive to Content Security Policy
   - New :string directive type for single token values
   - Positioned before legacy report-uri directive for clarity

3. Configuration Updates:
   - Registered reporting_endpoints in CONFIG_ATTRIBUTES_TO_HEADER_CLASSES
   - Added report_to to DIRECTIVES_3_0 (CSP Level 3)
   - Updated NON_FETCH_SOURCES to include report_to

4. Tests:
   - Complete test coverage for ReportingEndpoints header
   - CSP tests for report-to directive
   - Integration tests for both headers working together

5. Documentation:
   - Added W3C Reporting API section to README
   - Usage examples for both modern and legacy browser support
   - Configuration examples showing endpoint definition and CSP integration

Addresses issue #512

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: claude

README.md

@@ -16,6 +16,7 @@ The gem will automatically apply several headers that are related to security.
 - referrer-policy - [Referrer Policy draft](https://w3c.github.io/webappsec-referrer-policy/)
 - expect-ct - Only use certificates that are present in the certificate transparency logs. [expect-ct draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
 - clear-site-data - Clearing browser data for origin. [clear-site-data specification](https://w3c.github.io/webappsec-clear-site-data/).
+- reporting-endpoints - Configure endpoints for the W3C Reporting API. [Reporting API specification](https://w3c.github.io/reporting/).
 
 It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using `config.cookies = SecureHeaders::OPT_OUT`.
 
@@ -54,6 +55,9 @@ SecureHeaders::Configuration.default do |config|
   config.x_download_options = "noopen"
   config.x_permitted_cross_domain_policies = "none"
   config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
+  config.reporting_endpoints = {
+    default: "https://report-uri.io/example-reporting"
+  }
   config.csp = {
     # "meta" values. these will shape the header, but the values are not included in the header.
     preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
@@ -81,7 +85,8 @@ SecureHeaders::Configuration.default do |config|
     style_src_attr: %w('unsafe-inline'),
     worker_src: %w('self'),
     upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/
-    report_uri: %w(https://report-uri.io/example-csp)
+    report_to: 'default', # W3C Reporting API endpoint name (modern browsers)
+    report_uri: %w(https://report-uri.io/example-csp) # Legacy reporting (older browsers)
   }
   # This is available only from 3.5.0; use the `report_only: true` setting for 3.4.1 and below.
   config.csp_report_only = config.csp.merge({

lib/secure_headers.rb

@@ -11,6 +11,7 @@
 require "secure_headers/headers/referrer_policy"
 require "secure_headers/headers/clear_site_data"
 require "secure_headers/headers/expect_certificate_transparency"
+require "secure_headers/headers/reporting_endpoints"
 require "secure_headers/middleware"
 require "secure_headers/railtie"
 require "secure_headers/view_helper"
@@ -208,7 +209,7 @@ def raise_on_unknown_target(target)
 
     def config_and_target(request, target)
       config = config_for(request)
-      target = guess_target(config) unless target
+      target ||= guess_target(config)
       raise_on_unknown_target(target)
       [config, target]
     end

lib/secure_headers/configuration.rb

@@ -128,6 +128,7 @@ def deep_copy_if_hash(value)
       referrer_policy: ReferrerPolicy,
       clear_site_data: ClearSiteData,
       expect_certificate_transparency: ExpectCertificateTransparency,
+      reporting_endpoints: ReportingEndpoints,
       csp: ContentSecurityPolicy,
       csp_report_only: ContentSecurityPolicy,
       cookies: Cookie,

lib/secure_headers/headers/clear_site_data.rb

@@ -11,43 +11,41 @@ class ClearSiteData
     EXECUTION_CONTEXTS = "executionContexts".freeze
     ALL_TYPES = [CACHE, COOKIES, STORAGE, EXECUTION_CONTEXTS]
 
-    class << self
-      # Public: make an clear-site-data header name, value pair
-      #
-      # Returns nil if not configured, returns header name and value if configured.
-      def make_header(config = nil, user_agent = nil)
-        case config
-        when nil, OPT_OUT, []
-          # noop
-        when Array
-          [HEADER_NAME, make_header_value(config)]
-        when true
-          [HEADER_NAME, make_header_value(ALL_TYPES)]
-        end
+    # Public: make an clear-site-data header name, value pair
+    #
+    # Returns nil if not configured, returns header name and value if configured.
+    def self.make_header(config = nil, user_agent = nil)
+      case config
+      when nil, OPT_OUT, []
+        # noop
+      when Array
+        [HEADER_NAME, make_header_value(config)]
+      when true
+        [HEADER_NAME, make_header_value(ALL_TYPES)]
       end
+    end
 
-      def validate_config!(config)
-        case config
-        when nil, OPT_OUT, true
-          # valid
-        when Array
-          unless config.all? { |t| t.is_a?(String) }
-            raise ClearSiteDataConfigError.new("types must be Strings")
-          end
-        else
-          raise ClearSiteDataConfigError.new("config must be an Array of Strings or `true`")
+    def self.validate_config!(config)
+      case config
+      when nil, OPT_OUT, true
+        # valid
+      when Array
+        unless config.all? { |t| t.is_a?(String) }
+          raise ClearSiteDataConfigError.new("types must be Strings")
         end
+      else
+        raise ClearSiteDataConfigError.new("config must be an Array of Strings or `true`")
       end
+    end
 
-      # Public: Transform a clear-site-data config (an Array of Strings) into a
-      # String that can be used as the value for the clear-site-data header.
-      #
-      # types - An Array of String of types of data to clear.
-      #
-      # Returns a String of quoted values that are comma separated.
-      def make_header_value(types)
-        types.map { |t| %("#{t}") }.join(", ")
-      end
+    # Public: Transform a clear-site-data config (an Array of Strings) into a
+    # String that can be used as the value for the clear-site-data header.
+    #
+    # types - An Array of String of types of data to clear.
+    #
+    # Returns a String of quoted values that are comma separated.
+    def self.make_header_value(types)
+      types.map { |t| %("#{t}") }.join(", ")
     end
   end
 end

lib/secure_headers/headers/content_security_policy.rb

@@ -46,7 +46,7 @@ def value
     private
 
     # Private: converts the config object into a string representing a policy.
-    # Places default-src at the first directive and report-uri as the last. All
+    # Places default-src at the first directive and report-to/report-uri as the last. All
     # others are presented in alphabetical order.
     #
     # Returns a content security policy header value.
@@ -59,6 +59,8 @@ def build_value
           build_source_list_directive(directive_name)
         when :boolean
           symbol_to_hyphen_case(directive_name) if @config.directive_value(directive_name)
+        when :string
+          build_string_directive(directive_name)
         when :sandbox_list
           build_sandbox_list_directive(directive_name)
         when :media_type_list
@@ -67,6 +69,11 @@ def build_value
       end.compact.join("; ")
     end
 
+    def build_string_directive(directive)
+      return unless string_value = @config.directive_value(directive)
+      [symbol_to_hyphen_case(directive), string_value].join(" ")
+    end
+
     def build_sandbox_list_directive(directive)
       return unless sandbox_list = @config.directive_value(directive)
       max_strict_policy = case sandbox_list
@@ -179,11 +186,12 @@ def append_nonce(source_list, nonce)
     end
 
     # Private: return the list of directives,
-    # starting with default-src and ending with report-uri.
+    # starting with default-src and ending with report-to and report-uri.
     def directives
       [
         DEFAULT_SRC,
         BODY_DIRECTIVES,
+        REPORT_TO,
         REPORT_URI,
       ].flatten
     end

lib/secure_headers/headers/cookie.rb

@@ -7,10 +7,8 @@ module SecureHeaders
   class CookiesConfigError < StandardError; end
   class Cookie
 
-    class << self
-      def validate_config!(config)
-        CookiesConfig.new(config).validate!
-      end
+    def self.validate_config!(config)
+      CookiesConfig.new(config).validate!
     end
 
     attr_reader :raw_cookie, :config

lib/secure_headers/headers/expect_certificate_transparency.rb

@@ -9,31 +9,29 @@ class ExpectCertificateTransparency
     REQUIRED_MAX_AGE_ERROR      = "max-age is a required directive.".freeze
     INVALID_MAX_AGE_ERROR       = "max-age must be a number.".freeze
 
-    class << self
-      # Public: Generate a expect-ct header.
-      #
-      # Returns nil if not configured, returns header name and value if
-      # configured.
-      def make_header(config, use_agent = nil)
-        return if config.nil? || config == OPT_OUT
+    # Public: Generate a expect-ct header.
+    #
+    # Returns nil if not configured, returns header name and value if
+    # configured.
+    def self.make_header(config, use_agent = nil)
+      return if config.nil? || config == OPT_OUT
 
-        header = new(config)
-        [HEADER_NAME, header.value]
-      end
+      header = new(config)
+      [HEADER_NAME, header.value]
+    end
 
-      def validate_config!(config)
-        return if config.nil? || config == OPT_OUT
-        raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise ExpectCertificateTransparencyConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a? Hash
 
-        unless [true, false, nil].include?(config[:enforce])
-          raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
-        end
+      unless [true, false, nil].include?(config[:enforce])
+        raise ExpectCertificateTransparencyConfigError.new(INVALID_ENFORCE_VALUE_ERROR)
+      end
 
-        if !config[:max_age]
-          raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
-        elsif config[:max_age].to_s !~ /\A\d+\z/
-          raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
-        end
+      if !config[:max_age]
+        raise ExpectCertificateTransparencyConfigError.new(REQUIRED_MAX_AGE_ERROR)
+      elsif config[:max_age].to_s !~ /\A\d+\z/
+        raise ExpectCertificateTransparencyConfigError.new(INVALID_MAX_AGE_ERROR)
       end
     end
 

lib/secure_headers/headers/policy_management.rb

@@ -38,6 +38,7 @@ def self.included(base)
     SANDBOX = :sandbox
     SCRIPT_SRC = :script_src
     STYLE_SRC = :style_src
+    REPORT_TO = :report_to
     REPORT_URI = :report_uri
 
     DIRECTIVES_1_0 = [
@@ -87,6 +88,7 @@ def self.included(base)
       MANIFEST_SRC,
       NAVIGATE_TO,
       PREFETCH_SRC,
+      REPORT_TO,
       REQUIRE_SRI_FOR,
       WORKER_SRC,
       UPGRADE_INSECURE_REQUESTS,
@@ -110,9 +112,9 @@ def self.included(base)
 
     ALL_DIRECTIVES = (DIRECTIVES_1_0 + DIRECTIVES_2_0 + DIRECTIVES_3_0 + DIRECTIVES_EXPERIMENTAL).uniq.sort
 
-    # Think of default-src and report-uri as the beginning and end respectively,
+    # Think of default-src as the beginning and report-to/report-uri as the end,
     # everything else is in between.
-    BODY_DIRECTIVES = ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_URI]
+    BODY_DIRECTIVES = ALL_DIRECTIVES - [DEFAULT_SRC, REPORT_TO, REPORT_URI]
 
     DIRECTIVE_VALUE_TYPES = {
       BASE_URI                  => :source_list,
@@ -131,6 +133,7 @@ def self.included(base)
       PLUGIN_TYPES              => :media_type_list,
       REQUIRE_SRI_FOR           => :require_sri_for_list,
       REQUIRE_TRUSTED_TYPES_FOR => :require_trusted_types_for_list,
+      REPORT_TO                 => :string,
       REPORT_URI                => :source_list,
       PREFETCH_SRC              => :source_list,
       SANDBOX                   => :sandbox_list,
@@ -158,6 +161,7 @@ def self.included(base)
       FORM_ACTION,
       FRAME_ANCESTORS,
       NAVIGATE_TO,
+      REPORT_TO,
       REPORT_URI,
     ]
 
@@ -336,6 +340,10 @@ def validate_directive!(directive, value)
           unless boolean?(value)
             raise ContentSecurityPolicyConfigError.new("#{directive} must be a boolean. Found #{value.class} value")
           end
+        when :string
+          unless value.is_a?(String)
+            raise ContentSecurityPolicyConfigError.new("#{directive} must be a string. Found #{value.class} value")
+          end
         when :sandbox_list
           validate_sandbox_expression!(directive, value)
         when :media_type_list

lib/secure_headers/headers/referrer_policy.rb

@@ -15,29 +15,27 @@ class ReferrerPolicy
       unsafe-url
     )
 
-    class << self
-      # Public: generate an Referrer Policy header.
-      #
-      # Returns a default header if no configuration is provided, or a
-      # header name and value based on the config.
-      def make_header(config = nil, user_agent = nil)
-        return if config == OPT_OUT
-        config ||= DEFAULT_VALUE
-        [HEADER_NAME, Array(config).join(", ")]
-      end
+    # Public: generate an Referrer Policy header.
+    #
+    # Returns a default header if no configuration is provided, or a
+    # header name and value based on the config.
+    def self.make_header(config = nil, user_agent = nil)
+      return if config == OPT_OUT
+      config ||= DEFAULT_VALUE
+      [HEADER_NAME, Array(config).join(", ")]
+    end
 
-      def validate_config!(config)
-        case config
-        when nil, OPT_OUT
-          # valid
-        when String, Array
-          config = Array(config)
-          unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
-            raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
-          end
-        else
-          raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
+    def self.validate_config!(config)
+      case config
+      when nil, OPT_OUT
+        # valid
+      when String, Array
+        config = Array(config)
+        unless config.all? { |t| t.is_a?(String) && VALID_POLICIES.include?(t.downcase) }
+          raise ReferrerPolicyConfigError.new("Value can only be one or more of #{VALID_POLICIES.join(", ")}")
         end
+      else
+        raise TypeError.new("Must be a string or array of strings. Found #{config.class}: #{config}")
       end
     end
   end

lib/secure_headers/headers/reporting_endpoints.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+module SecureHeaders
+  class ReportingEndpointsConfigError < StandardError; end
+
+  class ReportingEndpoints
+    HEADER_NAME = "reporting-endpoints".freeze
+    INVALID_CONFIGURATION_ERROR = "config must be a hash.".freeze
+    INVALID_ENDPOINT_NAME_ERROR = "endpoint names must be strings or symbols.".freeze
+    INVALID_ENDPOINT_URL_ERROR = "endpoint URLs must be strings.".freeze
+
+    # Public: Generate a Reporting-Endpoints header.
+    #
+    # Returns nil if not configured, returns header name and value if
+    # configured.
+    def self.make_header(config, user_agent = nil)
+      return if config.nil? || config == OPT_OUT
+
+      header = new(config)
+      [HEADER_NAME, header.value]
+    end
+
+    def self.validate_config!(config)
+      return if config.nil? || config == OPT_OUT
+      raise ReportingEndpointsConfigError.new(INVALID_CONFIGURATION_ERROR) unless config.is_a?(Hash)
+
+      config.each do |name, url|
+        unless name.is_a?(String) || name.is_a?(Symbol)
+          raise ReportingEndpointsConfigError.new(INVALID_ENDPOINT_NAME_ERROR)
+        end
+
+        unless url.is_a?(String)
+          raise ReportingEndpointsConfigError.new(INVALID_ENDPOINT_URL_ERROR)
+        end
+      end
+    end
+
+    def initialize(config)
+      @endpoints = config
+    end
+
+    def value
+      @endpoints.map { |name, url| "#{name}=\"#{url}\"" }.join(", ")
+    end
+  end
+end