Support CSP report-only header (#36623)

This turned out to be a full rabbit hole. The new header
is parsed in the new `parse_csp_list_from_metadata` which
sets `disposition` to `report.

I was testing this with
`script-src-report-only-policy-works-with-external-hash-policy.html`
which was blocking the script incorrectly. Turns out that there
were multiple bugs in the CSP library, as well as a missing
check in `fetch` to report violations.

Additionally, in several locations we were manually reporting csp
violations, instead of the new `global.report_csp_violations`. As
a result of that, they would double report, since the report-only
header would be appended as a policy and now would report twice.

Now, all callsides use `global.report_csp_violations`. As a nice
side-effect, I added the code to set source file information,
since that was already present for the `eval` check, but nowhere
else.

Part of #36437

Requires servo/rust-content-security-policy#5

---------

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Signed-off-by: Tim van der Lippe <TimvdLippe@users.noreply.github.com>

tests/wpt/meta/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy.html.ini

@@ -1,6 +0,0 @@
-[script-src-report-only-policy-works-with-external-hash-policy.html]
-  [Should fire securitypolicyviolation event]
-    expected: FAIL
-
-  [External script in a script tag with matching SRI hash should run.]
-    expected: FAIL

tests/wpt/meta/content-security-policy/script-src/script-src-sri_hash.sub.html.ini

@@ -2,8 +2,11 @@
   [multiple matching integrity]
     expected: FAIL
 
-  [partially matching integrity]
+  [matching integrity]
     expected: FAIL
 
-  [External script in a script tag with matching SRI hash should run.]
+  [matching integrity (case-insensitive algorithm)]
+    expected: FAIL
+
+  [matching plus unsupported integrity]
     expected: FAIL

tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_discard_source_expressions.html.ini

@@ -1,3 +0,0 @@
-[script-src-strict_dynamic_discard_source_expressions.html]
-  [Allowed scripts without a correct nonce are not permitted with `strict-dynamic`.]
-    expected: FAIL

tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html.ini

@@ -1,3 +0,0 @@
-[script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html]
-  [Non-allowed script injected via `appendChild` is not permitted with `strict-dynamic` + a nonce+allowed double policy.]
-    expected: FAIL

tests/wpt/meta/content-security-policy/script-src/script-src-strict_dynamic_parser_inserted.html.ini

@@ -1,29 +1,5 @@
 [script-src-strict_dynamic_parser_inserted.html]
   expected: TIMEOUT
-  [Parser-inserted script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
-    expected: FAIL
-
-  [Parser-inserted script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
-    expected: FAIL
-
-  [Parser-inserted deferred script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
-    expected: FAIL
-
-  [Parser-inserted deferred script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
-    expected: FAIL
-
-  [Parser-inserted async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
-    expected: FAIL
-
-  [Parser-inserted async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
-    expected: FAIL
-
-  [Parser-inserted deferred async script via `document.write` without a correct nonce is not allowed with `strict-dynamic`.]
-    expected: FAIL
-
-  [Parser-inserted deferred async script via `document.writeln` without a correct nonce is not allowed with `strict-dynamic`.]
-    expected: TIMEOUT
-
   [Script injected via `innerHTML` is not allowed with `strict-dynamic`.]
     expected: TIMEOUT