Add nonce as a Content attribute for <link>

[evilpie]

At least "The fetch and process the linked resource algorithm for modulepreload links" uses the nonce attribute implicitly via [[CryptographicNonce]].

[evilpie]

Oh, maybe content attributes are those that should be exposed to JS? In that case we could close this issue.

[domenic]

nonce is actually a global content attribute: https://html.spec.whatwg.org/#global-attributes:attr-nonce . It's a bit strange, and maybe as an editorial matter we could move it to just script and link?

[domenic]

I guess it also applies to style? That doesn't seem to be specified, as far as I can tell...

This changed in #2373 but I can't find any motivation for why it became global. My best guess is that it was seen as simplest to make the magic attribute-hiding behavior universal, instead of element-specific, and then nobody thought that we could separate the attribute definition (useful for conformance, etc.) from the normative behavior?

[annevk]

Yeah, I think it was an oversight. You want the processing model to be global in case you introduce more elements that need nonces in the future, but conformance can still be done on a per-element basis. I'd be supportive of tightening this.

cc @mikewest @arturjanc @sideshowbarker