Experiment with hiding <script>'s 'nonce' content attribute.

third_party/WebKit/Source/core/dom/ScriptLoader.cpp

Index: third_party/WebKit/Source/core/dom/ScriptLoader.cpp
diff --git a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
index 7b3915aaac0eec2ae7e42d89ecbea6a1915a3734..ad91f9dc9d92335c7aeb0b8ea2deba54d71818dc 100644
--- a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
+++ b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
@@ -347,10 +347,8 @@ bool ScriptLoader::fetchScript(const String& sourceUrl,
                                           crossOrigin);
     request.setCharset(scriptCharset());
 
-    if (ContentSecurityPolicy::isNonceableElement(m_element.get())) {
-      request.setContentSecurityPolicyNonce(
-          m_element->fastGetAttribute(HTMLNames::nonceAttr));
-    }
+    if (ContentSecurityPolicy::isNonceableElement(m_element.get()))
+      request.setContentSecurityPolicyNonce(client()->nonce());
 
     request.setParserDisposition(isParserInserted() ? ParserInserted
                                                     : NotParserInserted);
@@ -465,8 +463,8 @@ bool ScriptLoader::doExecuteScript(const ScriptSourceCode& sourceCode) {
 
   AtomicString nonce =
       ContentSecurityPolicy::isNonceableElement(m_element.get())
-          ? m_element->fastGetAttribute(HTMLNames::nonceAttr)
-          : AtomicString();
+          ? client()->nonce()
+          : nullAtom;
   if (!m_isExternalScript &&
       (!shouldBypassMainWorldCSP &&
        !csp->allowInlineScript(m_element, elementDocument->url(), nonce,
@@ -552,6 +550,10 @@ bool ScriptLoader::doExecuteScript(const ScriptSourceCode& sourceCode) {
     contextDocument->popCurrentScript();
   }
 
+  // "Number used _once_", so, clear it out after execution.
+  if (RuntimeEnabledFeatures::hideNonceContentAttributeEnabled())
+    client()->clearNonce();
+
   return true;
 }