CSP: 'sandbox' should be ignored in report-only mode.

Source/core/frame/ContentSecurityPolicy.cpp

Index: Source/core/frame/ContentSecurityPolicy.cpp
diff --git a/Source/core/frame/ContentSecurityPolicy.cpp b/Source/core/frame/ContentSecurityPolicy.cpp
index 4c3cbe42472a78353ff0c53ffac601e356ea6179..970ab2fc211375856023f3fc5efe4338a3702d4e 100644
--- a/Source/core/frame/ContentSecurityPolicy.cpp
+++ b/Source/core/frame/ContentSecurityPolicy.cpp
@@ -1386,6 +1386,10 @@ void CSPDirectiveList::setCSPDirective(const String& name, const String& value,
 
 void CSPDirectiveList::applySandboxPolicy(const String& name, const String& sandboxPolicy)
 {
+    if (m_reportOnly) {
+        m_policy->reportInvalidInReportOnly(name);
+        return;
+    }
     if (m_haveSandboxPolicy) {
         m_policy->reportDuplicateDirective(name);
         return;
@@ -1911,6 +1915,11 @@ void ContentSecurityPolicy::reportViolation(const String& directiveText, const S
     didSendViolationReport(stringifiedReport);
 }
 
+void ContentSecurityPolicy::reportInvalidInReportOnly(const String& name) const
+{
+    logToConsole("The Content Security Policy directive '" + name + "' is ignored when delivered in a report-only policy.");
+}
+
 void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) const
 {
     DEFINE_STATIC_LOCAL(String, allow, ("allow"));