We should consider merging https://chromium.googlesource.com/chromium/blink/+/d2b1d6072cc7c5bf6de86cf3b834228e754b05b1 CSP: Suppress stored credentials when sending cross-origin violation reports. The spec recently changed to mandate that cross-origin violation reports be POSTed without cookies[1]. This patch changes PingLoader::PingLoader to accept a StoredCredentials argument, and ensures that PingLoader::sendViolationReport sets it correctly based on the origins of the protected resource and the reporting endpoint. Two tests are included, which required the addition of CORS headers to http/tests/cookies/resources/setCookies.cgi in order to synchronously set cookies cross-origin via XHR. Additionally, the reporting endpoint was updated to write the cookie header into the output, and then clear any set cookies so as not to leak into other tests. [1]: https://dvcs.w3.org/hg/content-security-policy/rev/788b0b653c39
<rdar://problem/24383107>
This was fixed in the patch for bug #146754.