Correct event_target for CSP violations (#36887)

All logic is implemented in `report_csp_violations` to avoid
pulling in various element-logic into SecurityManager.

Update the `icon-blocked.sub.html` WPT test to ensure that
the document is the correct target (verified in Firefox and Chrome).

Fixes #36806

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

tests/wpt/meta/fetch/metadata/report.https.sub.html.ini

@@ -1,2 +1,10 @@
 [report.https.sub.html]
-  expected: TIMEOUT
+  expected: ERROR
+  [same-origin report]
+    expected: TIMEOUT
+
+  [same-site report]
+    expected: TIMEOUT
+
+  [cross-site report]
+    expected: TIMEOUT