NEL reports are not observable (#77)

State this explicitly (even though it's the default), and add a note
explaining why, to help ensure that we don't accidentally remove this
restriction in the future.

Author: dcreager

index.html

@@ -212,6 +212,7 @@ <h2>Dependencies</h2>
             <li><dfn data-cite="!REPORTING#report" data-lt="reports">report</dfn></li>
             <li><dfn data-cite="!REPORTING#report-body">report body</dfn></li>
             <li><dfn data-cite="!REPORTING#report-type">report type</dfn></li>
+            <li><dfn data-cite="!REPORTING#visible-to-reporting-observers">visible to <code>ReportingObserver</code>s</dfn></li>
           </ul>
         </dd>
         <dt>Resource Timing</dt>
@@ -336,6 +337,21 @@ <h2>Network requests</h2>
       A <a>network request</a> is <dfn data-lt="fail">failed</dfn> if it is not
       <a>successful</a>.
       </p>
+
+      <p>
+      <a>Network error reports</a> are <strong>NOT</strong> <a>visible to
+        <code>ReportingObserver</code>s</a>.
+      </p>
+
+      <p class="note">
+      <a>Network error reports</a> are not <a>visible to
+        <code>ReportingObserver</code>s</a> because they are only intended to be
+      visible to the administrator or owner of the server <em>receiving</em> the
+      requests.  If they were <a>visible to <code>ReportingObserver</code>s</a>,
+      then the reports would also be visible to the <em>originator</em> of the
+      request.  For cross-origin requests, this could leak information about the
+      server's network configuration to parties outside of its control.
+      </p>
     </section>
 
     <section>