This was a bit confusing at first, but the report-only only
had an effect if it was used in conjunction with the regular
CSP header. This is incorrect, as the report-only header
can be present on its own.
Additionally, there was double-logic for parsing the CSP list
values, since we can only concatenate CSP lists if we have
an initial value, which requires a concrete policy value.
Therefore, abstract that way by looping over both headers and
handling the case where initially it is `None` and, if the
CSP header is not present, still `None` when we parse
the `report-only` header.
Additionally, update a WPT test. It was expecting the image
to load, yet was showing the fail image.
Part of #4577
Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
Extending the original set from #36402 since there are additional tests
relevant to the work happening in #36409 and #36363.
Testing: New tests in CI.
Fixes: Part of https://github.com/servo/servo/issues/4577
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
