Chrome Version: 57.0.2987.133

What steps will reproduce the problem?
(1) Visit an https page that serves the header `Content-Security-Policy-Report-Only: frame-src https:; report-uri /foo`
(2) Run the following JS in the console to insert an https iframe that redirects to http:
var i = document.createElement("iframe");
document.body.appendChild(i);
i.src="https://ask.com"

What is the expected result?
CSP violation noted in the console and a report sent to /foo.

What happens instead?
Mixed Content blocking message appears in console, but no CSP violation reports.

This looks like it violates the Fetch spec; https://fetch.spec.whatwg.org/#concept-main-fetch specifies that CSP report-only violations are sent before mixed content is checked.