It is a great way to see the possible effect of implementing a Content-Security-Policy header without actually blocking anything. When you use
Content-Security-Policy-Report-Only it only sends reports to the developer tools console and if you have specified a
report-uri directive it can post a JSON representation of the a violation to a URI endpoint that you specify.
Content-Security-Policy-Report-Only header has been supported since the first version of CSP Level 1. This means that support has existed since 2013: Chrome 25+, Firefox 23+, Safari 7+ or IE Edge 12+.