enable csp reporting

app/views/site/bits.scala

@@ -26,7 +26,7 @@ object bits {
 <html>
   <head>
     <meta charset="utf-8"/>
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src https://fonts.googleapis.com 'unsafe-inline'; font-src https://fonts.gstatic.com; script-src 'unsafe-eval' https://cdn.jsdelivr.net blob:; child-src blob:; connect-src https://raw.githubusercontent.com; img-src data: https://lichess.org https://lichess1.org;">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src https://fonts.googleapis.com 'unsafe-inline'; font-src https://fonts.gstatic.com; script-src 'unsafe-eval' https://cdn.jsdelivr.net blob:; child-src blob:; connect-src https://raw.githubusercontent.com; img-src data: https://lichess.org https://lichess1.org; report-to default;">
     <title>Lichess HTTP API documentation</title>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <link href="https://fonts.googleapis.com/css?family=Montserrat:300,400,700|Roboto:300,400,700" rel="stylesheet">

modules/common/src/main/ContentSecurityPolicy.scala

@@ -66,7 +66,8 @@ case class ContentSecurityPolicy(
     "worker-src " -> workerSrc,
     "img-src " -> imgSrc,
     "script-src " -> scriptSrc,
-    "base-uri " -> baseUri
+    "base-uri " -> baseUri,
+    "report-to " -> List("default")
   ) collect {
       case (directive, sources) if sources.nonEmpty =>
         sources.mkString(directive, " ", ";")