Fix 7956: Disable reporting observers to expose violation reports to JS

[jumde]

Fix brave/brave-browser#7956

Reporting API is disabled on master because we disable background sync by default. But, the ReportingViolations can still be accessed via Reporting Observers. Disabling queuing of reports via reporting observers with this change.

Submitter Checklist:

• Submitted a ticket for my issue if one did not already exist.
• Used Github auto-closing keywords in the commit message.
• Added/updated tests for this change (for new code or code which already has tests).
• Verified that these changes build without errors on
  • Android
  • iOS
  • Linux
  • macOS
  • Windows
• Verified that these changes pass automated tests (unit, browser, security tests) on
  • iOS
  • Linux
  • macOS
  • Windows
• Verified that all lint errors/warnings are resolved (npm run lint)
• Ran git rebase master (if needed).
• Ran git rebase -i to squash commits (if needed).
• Tagged reviewers and labelled the pull request as needed.
• Request a security/privacy review as needed.
• Add appropriate QA labels (QA/Yes or QA/No) to include the closed issue in milestone
• Public documentation has been updated as necessary. For instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protection-Mode
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Custom-Headers
  • https://github.com/brave/brave-browser/wiki/Web-compatibility-issues-with-tracking-protection
  • https://github.com/brave/brave-browser/wiki/QA-Guide

Test Plan:

1. Navigate to https://jumde.github.io/test/reporting_observer.html
2. Verify Reporting Observers not available is echoed to the document.

Reviewer Checklist:

• New files have MPL-2.0 license header.
• Request a security/privacy review as needed.
• Adequate test coverage exists to prevent regressions
• Verify test plan is specified in PR before merging to source

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on.
• All relevant documentation has been updated.

[iefremov]

2020 :)

[iefremov]

you don't need to do this, NavigateToURL is a blocking call

[iefremov]

namespace {} for this var

[bridiver]

the whole thing is in an anonymous namespace which seems odd

[iefremov]

btw, this check is also not that useful - even if the page is not found, this would be a correct assertion

[bridiver]

I'm not sure if this needs to happen here, can't we block this in the network stack?

[bridiver]

does this actually make a callback directly in the renderer without going back to the browser process? I think there was browser process code for this?

[jumde]

@bridiver - The network calls are blocked by disabling background sync. The callback exposes the ViolationReports to the javascript. Callbacks are handled in the renderer here: https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/frame/reporting_observer.cc?l=38

[iefremov]

btw, this can be replaced by EvalJs

[iefremov]

wondering if we really need to instantiate these clients?

[bridiver]

for reference what exactly does this do?

[jumde]

@bridiver = With ContextEnabled we'll be able to use --enable-blink-features=ReportingObservers" at runtime to enable ReportingObservers. Default behavior is disabled.