CSP: 'eval()' blocked in report-only mode should send a violation report.

Source/core/page/ContentSecurityPolicy.cpp

Index: Source/core/page/ContentSecurityPolicy.cpp
diff --git a/Source/core/page/ContentSecurityPolicy.cpp b/Source/core/page/ContentSecurityPolicy.cpp
index 8c3fd7fc8b0e7b9740b6c6b6ed260ef3b9a84e09..f2b0b4e3ae5853d786a3fc3b3e11b2aea0479e7c 100644
--- a/Source/core/page/ContentSecurityPolicy.cpp
+++ b/Source/core/page/ContentSecurityPolicy.cpp
@@ -1464,7 +1464,9 @@ void ContentSecurityPolicy::addPolicyFromHeaderValue(const String& header, Heade
         // header1,header2 OR header1
         //        ^                  ^
         OwnPtr<CSPDirectiveList> policy = CSPDirectiveList::create(this, begin, position, type);
-        if (!policy->isReportOnly() && !policy->allowEval(0, SuppressReport))
+
+        // We disable 'eval()' even in the case of report-only policies, and rely on the check in the V8Initializer::codeGenerationCheckCallbackInMainThread callback to determine whether the call should execute or not.
+        if (!policy->allowEval(0, SuppressReport))
             m_scriptExecutionContext->disableEval(policy->evalDisabledErrorMessage());
 
         m_policies.append(policy.release());