Fix PingLoader to omit credentials for cross-origin violation reports

My patch http://crrev.com/b3b697fc8bcc938e8b9ab32a34fc5933494faaa1 broke
the PingLoader code path for CSP violation reporting by always passing
AllowStoredCredentials by mistake.

The test report-cross-origin-no-cookies.html (now named .php) introduced
by http://crrev.com/a161a28377d8d71b63a02066574fb47f03dd4b3b included a
sync XHR to set a cookie for the remote host, but it has been not
working because:
- its withCredentials is not set to true
- testRunner is not configured to accept third party cookies
- setCookies.cgi emits wildcard Access-Control-Allow-Origin which is
  invalid for credentialled CORS requests
- it has non-CORS-safelisted header SET-COOKIE

So, the test didn't catch this breakage.

This CL fixes it by using a no-cors fetch() to
/security/resources/set-cookie.php which takes arguments via the query
part of a URL.

BUG=646780
R=mkwst@chromium.org

Review-Url: https://codereview.chromium.org/2345463002
Cr-Commit-Position: refs/heads/master@{#422787}

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt

-CONSOLE WARNING: line 9: Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
-CONSOLE ERROR: line 17: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+CONSOLE ERROR: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
 
 PingLoader dispatched to 'http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php?test=report-cross-origin-no-cookies.php'.
 CSP report received:
@@ -7,4 +6,4 @@ CONTENT_TYPE: application/csp-report
 HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php
 REQUEST_METHOD: POST
 === POST DATA ===
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php?test=report-cross-origin-no-cookies.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","line-number":17,"source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.php","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php?test=report-cross-origin-no-cookies.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png","status-code":200}}

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.php

@@ -8,15 +8,25 @@ header("Content-Security-Policy: img-src 'none'; report-uri http://localhost:808
 </head>
 <body>
 <script>
-    var xhr = new XMLHttpRequest();
-    xhr.open("GET", "http://localhost:8080/cookies/resources/setCookies.cgi", false);
-    xhr.setRequestHeader("SET-COOKIE", "cspViolationReportCookie=crossOrigin;path=/");
-    xhr.send(null);
-</script>
+if (window.testRunner) {
+  testRunner.dumpAsText();
+  testRunner.waitUntilDone();
+  testRunner.setBlockThirdPartyCookies(false);
+}
 
-<!-- This image will generate a CSP violation report. -->
-<img src="/security/resources/abe.png">
+fetch(
+    "http://localhost:8080/security/resources/set-cookie.php?name=cspViolationReportCookie&value=crossOrigin",
+    {mode: 'no-cors', credentials: 'include'})
+  .then(() => {
+    // This image will generate a CSP violation report.
+    const img = new Image();
 
-<script src='resources/go-to-echo-report.js'></script>
+    img.onerror = () => {
+      window.location = "/security/contentSecurityPolicy/resources/echo-report.php?test=report-cross-origin-no-cookies.php";
+    };
+    img.src = "/security/resources/abe.png";
+    document.body.appendChild(img);
+  });
+</script>
 </body>
 </html>

third_party/WebKit/Source/core/loader/PingLoader.cpp

@@ -417,8 +417,8 @@ bool sendPingCommon(LocalFrame* frame,
 
   // The loader keeps itself alive until it receives a response and disposes
   // itself.
-  PingLoaderImpl* loader = new PingLoaderImpl(frame, request, initiator,
-                                              AllowStoredCredentials, true);
+  PingLoaderImpl* loader =
+      new PingLoaderImpl(frame, request, initiator, credentialsAllowed, true);
   DCHECK(loader);
 
   return true;