Fix reporting when only the report-only CSP header is present (#38002)

This was a bit confusing at first, but the report-only only
had an effect if it was used in conjunction with the regular
CSP header. This is incorrect, as the report-only header
can be present on its own.

Additionally, there was double-logic for parsing the CSP list
values, since we can only concatenate CSP lists if we have
an initial value, which requires a concrete policy value.

Therefore, abstract that way by looping over both headers and
handling the case where initially it is `None` and, if the
CSP header is not present, still `None` when we parse
the `report-only` header.

Additionally, update a WPT test. It was expecting the image
to load, yet was showing the fail image.

Part of #4577

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

tests/wpt/meta/content-security-policy/inside-worker/dedicatedworker-report-only.html.ini

@@ -1,16 +1,7 @@
 [dedicatedworker-report-only.html]
   expected: TIMEOUT
-  [Cross-origin 'fetch()'.]
-    expected: TIMEOUT
-
-  [Cross-origin XHR.]
-    expected: NOTRUN
-
-  [Same-origin => cross-origin 'fetch()'.]
-    expected: NOTRUN
-
   [WebSocket.]
-    expected: NOTRUN
+    expected: TIMEOUT
 
   [connect-src-self-report-only]
     expected: NOTRUN