CSPDirectiveList::checkSource seems to ignore ContentSecurityPolicyHeaderTypeReport, and always works as if it were in Enforce mode. This is different from CSPDirectiveList::checkSourceAndReportViolation, which, if the request in question isn't allowed, returns "denyIfEnforcingPolicy()" rather than "false".

Discovered on https://codereview.chromium.org/2784753003/, some more details in the comments there.