For example, Mozilla supported CSP reporting being required. I tried hard to just allow CSP reporting to be optional, but even the Mozilla reps failed to support me, actually they were quite rude. I would note that Mozilla provide no option to disable the reporting when CSP is enabled. The mandatory CSP reporting effectively outsources client side security to the cloud and leads to the CSP becoming useless for enforcement by the user. The proponents held the view that most deployments would be 'reporting' not enforcement and that allowing reporting to be optional was a show stopper. PayPal organized a 'red-herring' discussion about fingerprinting being inevitable and thus argued that reporting does not add to the privacy issues, but of course fingerprinting is hardly the only issue. Everyone congratulated themselves for 'successfully' addressing the 'privacy' concerns, even the W3C PING, and CSP advances with mandatory reporting - PayPal got what they wanted and probably had a good laugh. My trust in Mozilla is limited, but they still seem worthy of some support for their work. I believe a shadowing derivative distribution by a separate entity will be necessary to really tackle some areas of concern.