`report-sample` is not checked when firing "securitypolicyviolation" events

[mbrodesser-Igalia]

See https://w3c.github.io/webappsec-csp/#changes-from-level-2 step 11 and https://w3c.github.io/webappsec-csp/#report-violation step 3.3.

Seems an oversight?

[lukewarlow]

It seems that it should be checked when setting the violation sample value rather than when it's used?

https://w3c.github.io/webappsec-csp/#should-block-inline - for example.