CSP Report-uri deprecated, replaced by report-to

[martindaehn23]

Adding a new CSP directive

Report-uri seems to be depricated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
Instead we want to use both, report-uri and report-to, to be future proof and backward compatible.

• Is the directive supported by any user agent? If so, which?
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to

• Chrome
• Edge
• Opera

• What does it do?
  Used to substitute report-uri.

• What are the valid values for the directive?
  Content-Security-Policy: report-to ;

[tmaier]

For additional context: The new report-to directive requires the Reporting-Endpoints HTTP header to define reporting endpoints (see W3C Reporting API spec and MDN docs).

Rails has an open PR (#52367) for Reporting API support, likely targeting Rails 8.1.

Both report-uri (deprecated) and report-to can coexist for backward compatibility during the transition period.