Add support for the Expect-CT header

Looking good, and has a test

Thanks!

I've re-rolled this so that it applies to 8.x-1.x again, and tidied a couple of things up.

I wonder whether we should also add a route/controller for the report-uri, in the same way we record CSP violations.

Details of what should be sent: https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02#section-3

I don't think we need to block this going on on that todo though; in some cases the reports may go to a totally different site/domain.

Thanks! Ready for backport to D7.

First backport attemp, hope it's ok!

Thanks!

I made a couple of small tweaks to the backport; one to fix a typo in a comment, and the other to change to the older array syntax (which is still the standard in D7 code):

diff -u b/includes/seckit.form.inc b/includes/seckit.form.inc
--- b/includes/seckit.form.inc
+++ b/includes/seckit.form.inc
@@ -455,11 +455,11 @@
     '#title' => t('Max-Age'),
     '#description' => t('Specify Max-Age value in seconds.'),
     '#default_value' => $options['seckit_ct']['max_age'],
-    '#states' => [
-      'required' => [
-        'input[name="seckit_ct[expect_ct]"]' => ['checked' => TRUE],
-      ],
-    ],
+    '#states' => array(
+      'required' => array(
+        'input[name="seckit_ct[expect_ct]"]' => array('checked' => TRUE),
+      ),
+    ),
   );
   // Expect-CT report-uri directive
   $form['seckit_ct']['report-uri'] = array(
diff -u b/seckit.module b/seckit.module
--- b/seckit.module
+++ b/seckit.module
@@ -618,7 +618,7 @@
  * Sends Excpect-CT HTTP response header.
  *
  * Implementation is based on specification draft
- ost* available at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT.
+ * available at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT.
  */
 function _seckit_expect_ct() {
   $options = _seckit_get_options();

Other than that, this was great - committed to 7.x-1.x ... thank you to all contributors!