Fix reporting when only the report-only CSP header is present (#38002)

This was a bit confusing at first, but the report-only only
had an effect if it was used in conjunction with the regular
CSP header. This is incorrect, as the report-only header
can be present on its own.

Additionally, there was double-logic for parsing the CSP list
values, since we can only concatenate CSP lists if we have
an initial value, which requires a concrete policy value.

Therefore, abstract that way by looping over both headers and
handling the case where initially it is `None` and, if the
CSP header is not present, still `None` when we parse
the `report-only` header.

Additionally, update a WPT test. It was expecting the image
to load, yet was showing the fail image.

Part of #4577

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

tests/wpt/meta/MANIFEST.json

@@ -577733,7 +577733,7 @@
       ]
      ],
      "reporting-api-report-only-sends-reports-on-violation.https.sub.html": [
-      "302025669d4417db670b6ebba18a6a49aed4e2eb",
+      "89e7357fbb9022cc9d068054151a9bf87d846276",
       [
        null,
        {}

tests/wpt/meta/content-security-policy/inside-worker/dedicatedworker-report-only.html.ini

@@ -1,16 +1,7 @@
 [dedicatedworker-report-only.html]
   expected: TIMEOUT
-  [Cross-origin 'fetch()'.]
-    expected: TIMEOUT
-
-  [Cross-origin XHR.]
-    expected: NOTRUN
-
-  [Same-origin => cross-origin 'fetch()'.]
-    expected: NOTRUN
-
   [WebSocket.]
-    expected: NOTRUN
+    expected: TIMEOUT
 
   [connect-src-self-report-only]
     expected: NOTRUN

tests/wpt/meta/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html.ini

@@ -1,7 +0,0 @@
-[reporting-api-report-only-sends-reports-on-violation.https.sub.html]
-  expected: TIMEOUT
-  [Event is fired]
-    expected: TIMEOUT
-
-  [Violation report status OK.]
-    expected: FAIL

tests/wpt/meta/content-security-policy/reporting/multiple-report-policies.html.ini

@@ -1,6 +0,0 @@
-[multiple-report-policies.html]
-  [2-Violation report status OK]
-    expected: FAIL
-
-  [1-Violation report status OK]
-    expected: FAIL

tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-01.html.ini

@@ -1,6 +1,3 @@
 [report-multiple-violations-01.html]
-  [Violation report status OK.]
-    expected: FAIL
-
   [Test number of sent reports.]
     expected: FAIL

tests/wpt/meta/content-security-policy/reporting/report-multiple-violations-02.html.ini

@@ -1,6 +1,3 @@
 [report-multiple-violations-02.html]
-  [Violation report status OK.]
-    expected: FAIL
-
   [Test number of sent reports.]
     expected: FAIL

tests/wpt/meta/content-security-policy/reporting/report-only-unsafe-eval.html.ini

@@ -1,6 +0,0 @@
-[report-only-unsafe-eval.html]
-  [SPV event is still raised]
-    expected: FAIL
-
-  [Violation report status OK.]
-    expected: FAIL

tests/wpt/meta/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.ini

@@ -1,3 +0,0 @@
-[eval-allowed-in-report-only-mode-and-sends-report.html]
-  [Violation report status OK.]
-    expected: FAIL

tests/wpt/meta/trusted-types/default-policy-report-only.html.ini

@@ -1,31 +0,0 @@
-[default-policy-report-only.html]
-  expected: TIMEOUT
-  [Count SecurityPolicyViolation events.]
-    expected: TIMEOUT
-
-  [script.src default]
-    expected: FAIL
-
-  [script.src throw]
-    expected: FAIL
-
-  [script.src typeerror]
-    expected: FAIL
-
-  [div.innerHTML default]
-    expected: FAIL
-
-  [div.innerHTML throw]
-    expected: FAIL
-
-  [div.innerHTML typeerror]
-    expected: FAIL
-
-  [script.text default]
-    expected: FAIL
-
-  [script.text throw]
-    expected: FAIL
-
-  [script.text typeerror]
-    expected: FAIL

tests/wpt/meta/trusted-types/empty-default-policy-report-only.html.ini

@@ -1,4 +0,0 @@
-[empty-default-policy-report-only.html]
-  expected: TIMEOUT
-  [Count SecurityPolicyViolation events.]
-    expected: TIMEOUT

tests/wpt/meta/trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-002.html.ini

@@ -18,8 +18,5 @@
   [invalid directive "trusted-type _TTP" (no ascii whitespace)]
     expected: NOTRUN
 
-  [non-ASCII trusted-types directives are discarded ("política")]
-    expected: TIMEOUT
-
   [directive "trusted-type _TTP1_%09_TTP2_%0A%20_TTP3_%0C_TTP4_%0D_TTP5_%20_TTP6_" (required-ascii-whitespace)]
-    expected: NOTRUN
+    expected: TIMEOUT

tests/wpt/meta/trusted-types/trusted-types-reporting-check-report-DedicatedWorker-create-policy.html.ini

@@ -1,6 +0,0 @@
-[trusted-types-reporting-check-report-DedicatedWorker-create-policy.html]
-  [Test report-uri works with trusted-types violation.]
-    expected: FAIL
-
-  [Test number of sent reports.]
-    expected: FAIL

tests/wpt/meta/trusted-types/trusted-types-reporting-check-report-Window-create-policy.html.ini

@@ -1,6 +0,0 @@
-[trusted-types-reporting-check-report-Window-create-policy.html]
-  [Test report-uri works with trusted-types violation.]
-    expected: FAIL
-
-  [Test number of sent reports.]
-    expected: FAIL

tests/wpt/tests/content-security-policy/reporting-api/reporting-api-report-only-sends-reports-on-violation.https.sub.html

@@ -7,16 +7,16 @@
 </head>
 <body>
   <script>
-    var t1 = async_test("Test that image does not load");
+    var t1 = async_test("Test that image does load");
     async_test(function(t2) {
     window.addEventListener("securitypolicyviolation", t2.step_func(function(e) {
-        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/fail.png");
+        assert_equals(e.blockedURI, "{{location[scheme]}}://{{location[host]}}/content-security-policy/support/pass.png");
         assert_equals(e.violatedDirective, "img-src");
         t2.done();
       }));
     }, "Event is fired");
   </script>
-  <img src='/content-security-policy/support/fail.png'
+  <img src='/content-security-policy/support/pass.png'
        onload='t1.done();'
        onerror='t1.unreached_func("The image should have loaded");'>