Clipping of violation’s sample to the 40 first characters

[fred-wang]

See w3c/webappsec-csp#704

The Trusted Types spec also mentions clipping to 40 first characters, and this can have similar ambiguity and implementation issues:

https://w3c.github.io/trusted-types/dist/spec/#should-block-sink-type-mismatch
https://w3c.github.io/trusted-types/dist/spec/#should-block-create-policy
(and in https://w3c.github.io/trusted-types/dist/spec/#privacy-considerations)

[fred-wang]

Another inconsistency: the CSP spec relies on the "report-sample" script-src to determine whether or not to clip violation's sample, but the Trusted Type spec do that unconditionally.

[lukewarlow]

That latter bit is intentional from discussions we've had before.