For the love of God people, could you please document this?

I've spent an hour trying to figure out how to set report-uri and simply nothing works. CSPBuilder.php on line 107 thinks "/csp_reporting.php" is an array. Or something. I don't know, because I have no $#%*)^% idea how it's intended to work. AddDirective()? AddSource()? SacrificeFirstBornAtMidnight()?

I agree that better documentation would be nice.

To resolve your immediate problem:

$cspBuilder->addDirective('report-uri', 'https://foo.example.com/csp_reporting.php');

I've added an explicit, dedicated API method and included it in the README, for the next minor release: c214593

I might write up a bit of documentation and send it your way. There are a few gotchas here and there. One followup question: How do I programmatically set "default-src" to 'none'?

I've tried addDirective( 'default-src', 'none' ) but that sets it to blank (literally default-src ;). Blank appears to have the same effect, but it's non-standard and non-standard makes me antsy.

EDIT:
I figured out how to explicitly set default-src to 'none'. Use false.

$csp->addDirective( 'default-src', false );

How do I best contribute improved documentation? Just fork and do a pull request on readme.md ?

That would be the best way, but if you don't have the time to fiddle with it, just share a list of things you find frustrating, difficult, confusing, etc. and I'll make a checklist.

How do you install via composer. Is there a line I can add to my main Composer file?

799291e

Installing with Composer gives a message suggesting I install psr/http-message. You might want to add a bit in the docs saying why this is suggested.

I've moved this to a dependency. PSR dependencies are low risk, and this makes static analysis easier.