I am trying to use the report-to CSP directive to report policy violations. This works well if the specified endpoint is a public (non-authenticated) URL. However, I would like the reporting URL to require a JWT (all CSP protected pages are in an authenticated context). Is there a way to specify the Bearer header when the browser sends the report?