Bug 216312

Violations of Content Security Policy restrictions for a document cause two observable effects (defined in https://w3c.github.io/webappsec-csp/#report-violation) - a SecurityPolicyViolationEvent is dispatched, and a report is sent to an endpoint defined in report-uri / report-to directive. 

For restricting eval and similar functions, this behavior is defined in https://w3c.github.io/webappsec-csp/#can-compile-strings (step 2.2.3).

It seems like WebKit - while it correctly blocks() eval when CSP script-src without 'unsafe-eval' is used in a document, and allows it in other cases (including on when the CSP header is in its Report-Only variant),  it does not do any reporting. 

This has an unfortunate effect - in report-only eval is allowed, but the web authors don't get notified about it, so when the webpage starts enforcing CSP, the behaviour changes without a way of detecting it earlier. eval is blocked(), most likely breaking the web application (+ there is no CSP report about this either, so it' s not easy to correlate the fails with the CSP enforcement). 

Steps to reproduce:

1. In Safari, go to https://gadgets.kotowicz.net/poc/tt/
2. Click the 'generate eval violation'

What should happen? 
1. a JSON with the violation should appear on the screen
2. a SecurityPolicyViolationEvent should be logged in the console.

What happens instead?
1. Eval is blocked, but no report is sent, or event dispatched.