CSP: Strip reported URLs for 'frame-src' and 'object-src'.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked.html

-<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
-<script src="resources/dump-as-text.js"></script>
-<iframe src="resources/alert-fail.html"></iframe>
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="frame-src 'self'">
+<script>
+    async_test(t => {
+        var watcher = new EventWatcher(t, document, ['securitypolicyviolation']);
+        watcher
+            .wait_for('securitypolicyviolation')
+            .then(t.step_func(e => {
+                assert_equals(e.blockedURI, "http://localhost:8000", "The reported URL should be stripped.");
+                assert_equals(e.lineNumber, 21, "IFrame injected from script on this page.");
+                t.done();
+            }));
+
+        window.onmessage = t.unreached_func('No message should be sent from the frame.');
+        window.onload = _ => {
+            var url = "http://localhost:8000/security/resources/post-done.html";
+            var i = document.createElement('iframe');
+            i.src = url;
+            document.body.appendChild(i);
+        };
+    }, "The unredirected frame is blocked.");
+</script>