This is a patch to apply on Magento CSP module to fix a bug regarding 'Report-To' header that is deprecated

magento-csp-report-to-deprecated.patch

diff --git a/vendor/magento/module-csp/Model/Policy/Renderer/SimplePolicyHeaderRenderer.php b/vendor/magento/module-csp/Model/Policy/Renderer/SimplePolicyHeaderRenderer.php
index d419c25..f758333 100644
--- a/vendor/magento/module-csp/Model/Policy/Renderer/SimplePolicyHeaderRenderer.php
+++ b/vendor/magento/module-csp/Model/Policy/Renderer/SimplePolicyHeaderRenderer.php
@@ -45,17 +45,9 @@ class SimplePolicyHeaderRenderer implements PolicyRendererInterface
             $header = 'Content-Security-Policy';
         }
         $value = $policy->getId() .' ' .$policy->getValue() .';';
-        if ($config->getReportUri() && !$response->getHeader('Report-To')) {
-            $reportToData = [
-                'group' => 'report-endpoint',
-                'max_age' => 10886400,
-                'endpoints' => [
-                    ['url' => $config->getReportUri()]
-                ]
-            ];
-            $value .= ' report-uri ' .$config->getReportUri() .';';
-            $value .= ' report-to '. $reportToData['group'] .';';
-            $response->setHeader('Report-To', json_encode($reportToData), true);
+        if ($config->getReportUri()) {
+            $value .= ' report-uri ' . $config->getReportUri() .';';
+            $value .= ' report-to '. $config->getReportUri() .';';
         }
         if ($existing = $response->getHeader($header)) {
             $value = $value .' ' .$existing->getFieldValue();