Lack of reporting shouldn't block --isolate-extensions, because chrome-extension://... URIs are exempt from CSP checks - see  issue 524356  + the fact that extensions/renderer/dispatcher.cc passes chrome-extension: and chrome-extension-resource: schemes to WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy.

OTOH, lack of reporting is a regression in web platform behavior - web developers cannot rely on CSP reporting if non-extension-related remote frames are present.  Therefore, let me mark this bug as TDI blocking.

One simple fix for this bug would be to introduce a pair of IPC messages that allows propagation of the CSP violation from ContentSecurityPolicy::reportViolation associated with a RemoteFrame to the one associated with a LocalFrame.

Pros:
- Behavior unified across local and remote frames (i.e. shipping of TDI is unblocked).
- Can enable more tests (e.g. http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html)

Cons:
- The new IPC message might be throwaway work considering 1) ongoing mojofication and 2) desire to move some CSP checks (including frame-src checks) to the browser process.

I put together a CL that implements #c3 - https://codereview.chromium.org/2190183002.  Note, that this CL has some remaining issues that still need resolving (mainly around possibility of a navigation race once frame-action is enforced in other windows).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/418493737b95a0dfc8340d3a5c559afe6aef57fb

commit 418493737b95a0dfc8340d3a5c559afe6aef57fb
Author: lukasza <lukasza@chromium.org>
Date: Thu Aug 18 18:08:23 2016

Fix site-per-process expectations related to CSP violation reporting.

Test expectations need to be adjusted, because after r412809 the test
waits for a "securitypolicyviolation" event (and this event is not
properly propagated for OOPIFs - https://crbug.com/611232).

BUG=611232
NOTRY=true

Review-Url: https://codereview.chromium.org/2260603002
Cr-Commit-Position: refs/heads/master@{#412891}

[modify] https://crrev.com/418493737b95a0dfc8340d3a5c559afe6aef57fb/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process

Status update:

- This is still broken (correct blocking, but no violation reports)

- An attempt to fix this in https://codereview.chromium.org/2190183002 is blocked because of potential race conditions.  This was discussed over email (subject: CSP violation reporting question) between estark@, creis@, alexmos@, mkwst@ and me (unfortunately no track of that discussion in the code review or bug...).
 
- Not sure anymore if this is doable without moving the affected CSP checks (e.g. frame-src) to the browser.

Note that we will have to solve CSP checks for navigations performed browser-side for PlzNavigate, so this might be shared goal between the two efforts.

I've tried to run the affected layout test (http/tests/security/contentSecurityPolicy/frame-src-child-frame-navigates-to-blocked-origin.html) with *both* --site-per-process and PlzNavigate and the test almost passes (the only remaining problem is e.lineNumber == 0 in securitypolicyviolation event).

So - it seems that shipping PlzNavigate will mostly fix this bug.

Disclaimer - even after PlzNavigate ships we should keep this bug active - we would still want to get rid of the code responsible for replicating CSP headers into remote frames (i.e. undo r394200).

@lukasza: The line number is 0 instead of 7 with PlzNavigate, but that the expected behavior (i.e. there is a problem without PlzNavigate). If you look at the description in the test, you will see:
"This shouldn't actually be 7, since it happens in a cross-origin frame. :/".
It means that the main frame must not know what line of code its child frame is executing. We don't want to leak neither its SourceLocation nor its full URL with its path.
FYI: SourceLocation and GURL's path data are removed in
RenderFrameHostImpl::SanitizeDataForUseInCspViolation

After PlzNavigate ships, I agree that we will be able to get rid of the code responsible for replicating CSP into remote frames.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/16295fe01a1264e488dc0f7837f53e6f01e74743

commit 16295fe01a1264e488dc0f7837f53e6f01e74743
Author: Lukasz Anforowicz <lukasza@chromium.org>
Date: Mon Mar 05 22:18:14 2018

Remove test exceptions for tests that have "healed" themselves

Bug: 477150,  789781 ,  769508 ,  661725 
Bug: 611232,  745881 ,  801992 
Change-Id: If90fb04e97513b99716afd844a2a77ca0905ab3d
Reviewed-on: https://chromium-review.googlesource.com/942316
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#540958}
[modify] https://crrev.com/16295fe01a1264e488dc0f7837f53e6f01e74743/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process

Assigning to myself to undo r394200 as described in #c12 above.