Privacy: Reporting API is a significant source of entropy

[Seirdy]

I generally recommend that people make heavy use of reporting endpoints in staging and internal pages, or possibly for pages with a debug query parameter, but not for public-facing pages. CSP, NEL, etc. reports carry significant entropy, especially with script-sample; this could be a major privacy issue. Simply eyeballing a CSP audit log could easily let me pick out users with Tridactyl or Canvas Fingerprinting Defender addons installed, for instance.

I suggest downgrading the checks for the reporting endpoints to an "INFO" severity level, or removing them. I'd more gently suggest warning on use of script-sample due to privacy concerns.

[sesh]

This is a really good privacy call out.

To start: I'm adding a check for report-sample in the CSP, I agree that there are very few production use cases for this.

MDN docs for that directive are on the CSP page: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

[sesh]

Thanks again for these suggestions!

I'm going to leave this one open while I think about how I want to implement it. I agree that the "INFO" type notice for these might make sense, but I'm actually tempted to remove the checks all together instead (because generally, the tool should give definitive answers).