TYPO3 Core

Indeed I couldn't see an option to use the "Content-Security-Policy-Report-Only" header. typo3/sysext/frontend/Classes/Middleware/ContentSecurityPolicyHeaders.php in method process does this:

return $response->withHeader('Content-Security-Policy', $policy->compile($this->requestId->nonce, $this->cache));

so there's no toggle for the header. While this would be nice to get implemented as a flag, you could workaround this with a small hack.

You could register a custom middleware just after the ContentSecurityPolicyHeaders middleware and modify the output with something like:

final readonly class ContentSecurityPolicyHeadersReportOnly implements MiddlewareInterface
{
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $response = $handler->handle($request);
        // ContentSecurityPolicyHeaders has now handled our response, let's mangle it.
        if ($response->hasHeader('Content-Security-Policy')) {
            $response = $response->withHeader('Content-Security-Policy-Report-Only', $response->getHeader('Content-Security-Policy'));
            // Detach the old header
            $response = $response->withoutHeader('Content-Security-Policy');
        }
        return $response;
    }
}

I have not tested this, but in theory this should work by just "renaming" the header. Maybe you'd like to try this until a decision can be made whether to support this with a config/option/API toggle?