Implement initial version of ReportingObserver (#37905)

The specification moved around lately with how it defines its reports
and report bodies. They became dictionaries, but are currently missing
some fields [1].

Most tests won't be passing yet, since the `Reporting-Endpoints` header
isn't used yet. In fact, the specification leaves it up to the browser
to figure out when to run this task [2]. I am not sure if there some
background scheduling we can do here.

Confirmed with content-security-policy/reporting-api/
report-to-directive-allowed-in-meta.https.sub.html that the callback is
invoked. The test doesn't pass, since
the `describe_scripted_caller` is empty for HTML elements. Thus the
`source_file` is empty, whereas it should be equivalent to the current
document URL.

Part of #37328

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

[1]: https://github.com/w3c/reporting/issues/286
[2]: https://w3c.github.io/reporting/#report-delivery

components/script_bindings/webidls/CSPViolationReportBody.webidl

@@ -0,0 +1,19 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+// https://w3c.github.io/webappsec-csp/#dictdef-cspviolationreportbody
+
+dictionary CSPViolationReportBody : ReportBody {
+  required USVString documentURL;
+  USVString referrer;
+  USVString blockedURL;
+  required DOMString effectiveDirective;
+  required DOMString originalPolicy;
+  USVString sourceFile;
+  DOMString sample;
+  required SecurityPolicyViolationEventDisposition disposition;
+  required unsigned short statusCode;
+  unsigned long lineNumber;
+  unsigned long columnNumber;
+};