Disable Reporting API #7956
Description
Chromium includes a system called Reporting API. Its a broad API that is currently used to allow sites to instruct the browser to send at least the following types of information (possibly others) to arbitrary parties (i.e. first or 3p):
- CSP errors
- Network errors
- Interventions (e.g. webRequest blocked something)
- Crash reports
Most of the functionality is all defined though HTTP headers, though there is a JS API that allows the site to see and edit reports as they go out).
There is a compile time flag to disable Reporting API. We should do this. Of the functionality that goes through Reporting API, two have possible use cases (CSP and crash reports, though Brave opinions differ on whether they're user-respecting to have on by default), and two are clearly privacy harming (network error reporting, that is a clear tracking vector, and intervention reporting, which is obviously horrible).
Regardless of whether we decide to enable CSP and crash reports, there won't be resources to do so for a while. There is an "easy" way to disable the entire "parent" API (reporting API). We should do so ASAP, until there are resources to possibly re-enable the non-privacy harming parts.
Information about Reporting API
Test Plan
Specified here: brave/brave-core#4578