Ensure that subdomain policies are only for DNS. (#144)

This CL moves the subdomain check -- which is supposed to ensure that
only DNS errors are reported for subdomains -- before the step which
can downgrade reports, since that step can change some reports into
DNS reports, even they were not originally.

Closes: #141

Author: clelland

index.html

@@ -1136,6 +1136,22 @@ <h2>Extract response headers</h2>
           </dl>
         </li>
 
+        <li>
+          If <var>origin</var> is not equal to <var>policy</var>'s <a
+          data-lt="policy origin">origin</a>, <var>policy</var>'s
+          <a>subdomains</a> flag is <code>include</code>, and <var>report
+          body</var>'s <code>phase</code> property is not <code>dns</code>,
+          return null.
+
+          <p class="note">
+          This step ensures that <a data-lt="subdomains">subdomain</a> <a>NEL
+          policies</a> can only be used to generate reports about subdomains of
+          the <a>policy origin</a> during the <a>DNS resolution</a> phase of a
+          <a>request</a>. See <a href="#privacy-considerations"></a> for more
+          details.
+          </p>
+        </li>
+
         <li>
           If <var>report body</var>'s <code>phase</code> property is not
           <code>dns</code>, and <var>report body</var>'s <code>server_ip</code>
@@ -1177,14 +1193,6 @@ <h2>Extract response headers</h2>
           </p>
         </li>
 
-        <li>
-          If <var>origin</var> is not equal to <var>policy</var>'s <a
-          data-lt="policy origin">origin</a>, <var>policy</var>'s
-          <a>subdomains</a> flag is <code>include</code>, and <var>report
-          body</var>'s <code>phase</code> property is not <code>dns</code>,
-          return null.
-        </li>
-
         <li>
           Return <var>report body</var> and <var>policy</var>.
         </li>