report-toreport-to is the modern reporting directive that names a destination (a group name) for CSP violation reports. The actual endpoint URL is mapped to that name via a separate Reporting-Endpoints (or the older Report-To) HTTP header. It is the successor to the deprecated report-uri.
It works differently from report-uri: the report-to value is a group name, not a URL. For example, you send Reporting-Endpoints: csp-endpoint="https://report.example.com/csp" in the response and specify report-to csp-endpoint in the CSP. This Reporting-API-based approach lets you funnel CSP and other policy violations (e.g., Permissions Policy, NEL) into unified infrastructure, with richer delivery controls like batching and timeouts.
However, browser support and implementation details differ (the old Report-To header vs. the new Reporting-Endpoints header), so in practice declaring both report-to (new) and report-uri (old) ensures broad compatibility. report-to also does not fall back to default-src.
Content-Security-Policy: default-src 'self'; report-to csp-endpoint