Block moz-extension CSP reports

[ghostwords]

Fixes a part of #1793.

Although this blocks all source-file: "moz-extension" CSP reports, we still have the issue of some of our scripts being blocked by page CSPs in Firefox.

Note that script surrogates are no longer subject to page CSPs (#2801).

DDG's test page: https://privacy-test-pages.glitch.me/security/csp-report/index.html

What does still get broken by page CSPs in Firefox?

Anything injected into page-level contexts ("main world"). So, navigator.doNotTrack, canvas fp. detection, document.cookie/localStorage blocking, ...

if your extension injects a (dynamically generated or static) inline script

— https://bugzilla.mozilla.org/show_bug.cgi?id=1588957#c13

Are there any MV2 workarounds?

Yes, inject page scripts from web_accessible_resources or via "Xray vision" instead.

https://bugzilla.mozilla.org/show_bug.cgi?id=1591983#c1

How will this change with MV3?

TBD

[ghostwords]

We don't register in Chrome because lol it's REQUEST_BODY there, but ... Should we have a more robust check? The check needs to be synchronous though, to keep the listener "persistent" (#2882).

[JulienPalard]

I'm not able to proofread the implementation, but the idea of blocking CSP reports on moz-extensions make a lot of sense to me:

• It prevents the reports to be used to fingerprint users or whatever stats can be done with them.
• It avoid flooding website admins with reports that are unrelated with said site (no we won't ask our users to uninstall Privacy Badger just so we don't get reports, I'm a big fan of the extension myself to the point I recommend it on my pet project here: https://www.hackinscience.org/about/ ♥).