Fix reporting when only the report-only CSP header is present (#38002)

This was a bit confusing at first, but the report-only only had an effect if it was used in conjunction with the regular CSP header. This is incorrect, as the report-only header can be present on its own. Additionally, there was double-logic for parsing the CSP list values, since we can only concatenate CSP lists if we have an initial value, which requires a concrete policy value. Therefore, abstract that way by looping over both headers and handling the case where initially it is `None` and, if the CSP header is not present, still `None` when we parse the `report-only` header. Additionally, update a WPT test. It was expecting the image to load, yet was showing the fail image. Part of #4577 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-08-10 16:05:43 +01:00 · 2025-07-12 12:38:30 +02:00 · 2025-07-12 12:38:30 +02:00 · 2c116f4011
commit 2c116f4011
parent 9b5b26386c
15 changed files with 48 additions and 124 deletions
--- a/tests/wpt/meta/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.ini
+++ b/tests/wpt/meta/content-security-policy/script-src/eval-allowed-in-report-only-mode-and-sends-report.html.ini
@ -1,3 +0,0 @@
-[eval-allowed-in-report-only-mode-and-sends-report.html]
-  [Violation report status OK.]
-    expected: FAIL