Bug 216312

Violations of Content Security Policy restrictions for a document cause two observable effects (defined in https://w3c.github.io/webappsec-csp/#report-violation) - a SecurityPolicyViolationEvent is dispatched, and a report is sent to an endpoint defined in report-uri / report-to directive. For restricting eval and similar functions, this behavior is defined in https://w3c.github.io/webappsec-csp/#can-compile-strings (step 2.2.3). It seems like WebKit - while it correctly blocks() eval when CSP script-src without 'unsafe-eval' is used in a document, and allows it in other cases (including on when the CSP header is in its Report-Only variant), it does not do any reporting. This has an unfortunate effect - in report-only eval is allowed, but the web authors don't get notified about it, so when the webpage starts enforcing CSP, the behaviour changes without a way of detecting it earlier. eval is blocked(), most likely breaking the web application (+ there is no CSP report about this either, so it' s not easy to correlate the fails with the CSP enforcement). Steps to reproduce: 1. In Safari, go to https://gadgets.kotowicz.net/poc/tt/ 2. Click the 'generate eval violation' What should happen? 1. a JSON with the violation should appear on the screen 2. a SecurityPolicyViolationEvent should be logged in the console. What happens instead? 1. Eval is blocked, but no report is sent, or event dispatched.