Disallow credentials from cross-origin reports (#186)

This changes the credentials mode for reports to 'same-origin' and adds a note explaining the rationale for not using 'omit' instead.

 Closes: #161

Author: clelland

index.src.html

@@ -616,10 +616,19 @@ <h4 id="try-delivery" algorithm>
       :   `unsafe-request` flag
       ::  set
       :   `credentials`
-      ::  "`include`"
+      ::  "`same-origin`"
       :   `body`
       ::  A [=/body=] whose [=body/source=] is |body|.
 
+      Note: Reports are sent with credentials set to `same-origin`. This allows
+      reporting endpoints which are same-origin with the reporting page to get
+      extra context about the nature of the report: for example, to understand
+      whether a given user's account is triggering errors consistently, or if a
+      certain sequence of actions taken on other pages is triggering a report on
+      this page. This does not leak any new information to the reporting
+      endpoint that it could not obtain in other ways. That is not the case for
+      cross-origin reporting endpoints, so they do not receive credentials.
+
   4.  <a>Queue a task</a> to <a>fetch</a> |request|.
 
   5.  <a>Wait for a response</a> (|response|).