CSP should let sites both enforce one policy and monitor another

      https://bugs.webkit.org/show_bug.cgi?id=85561

Reviewed by Eric Seidel.

Source/WebCore:

This patch lets us enforce and/or monitor multiple CSP policies.
Rather than having a single directive list, we now have a vector of
directive lists.

Tests: http/tests/security/contentSecurityPolicy/combine-multiple-policies.html
       http/tests/security/contentSecurityPolicy/report-and-enforce.html

* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::copyStateFrom):
(WebCore::ContentSecurityPolicy::didReceiveHeader):
(WebCore::ContentSecurityPolicy::deprecatedHeader):
(WebCore::ContentSecurityPolicy::deprecatedHeaderType):
    - Even after this patch, workers aren't smart enough to enforce
      multiple policies.  They just use the first header, like they did
      before.  We'll need to teach workers how to enforce multiple
      policies in a future patch.
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
(WebCore::ContentSecurityPolicy::allowInlineScript):
(WebCore::ContentSecurityPolicy::allowInlineStyle):
(WebCore::ContentSecurityPolicy::allowEval):
(WebCore::ContentSecurityPolicy::allowScriptFromSource):
(WebCore::ContentSecurityPolicy::allowObjectFromSource):
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
(WebCore::ContentSecurityPolicy::allowImageFromSource):
(WebCore::ContentSecurityPolicy::allowStyleFromSource):
(WebCore::ContentSecurityPolicy::allowFontFromSource):
(WebCore::ContentSecurityPolicy::allowMediaFromSource):
(WebCore::ContentSecurityPolicy::allowConnectFromSource):
* page/ContentSecurityPolicy.h:
* workers/DefaultSharedWorkerRepository.cpp:
(WebCore::SharedWorkerScriptLoader::notifyFinished):
* workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::startWorkerContext):

Source/WebKit/chromium:

* src/SharedWorkerRepository.cpp:
(WebCore::SharedWorkerScriptLoader::notifyFinished):
* sr