Adjust the <script nonce>-hiding experiment

Adjust the <script nonce>-hiding experiment

After a bit more conversation, this patch follows up on the initial stab
at attribute changes in https://codereview.chromium.org/2628733005 in two
ways:

1.  It fixes some bits and pieces of SVGScriptElement handling that were
    simply broken in the initial patch (e.g. the 'nonce' attribute wasn't
    actually exposed via IDL), and adds SVG-based tests.

2.  We no longer clear the nonce value after execution; we're already
    preventing re-execution of a script block with a check in
    'ScriptLoader::prepareScript' so there's little added value in
    removing the nonce, but it incurs some non-trivial cost by making
    manual nonce propagation difficult.

BUG=680419
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2644143005
Cr-Commit-Position: refs/heads/master@{#445049}
Committed: https://chromium.googlesource.com/chromium/src/+/a7a3f277b70327d2fd2f383acba1b1c2c78f018c

[Mike West, 2017-01-20 11:31:47]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-20 11:31:58]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Mike West, 2017-01-20 11:33:10]

Description was changed from

==========
yay

After a bit more conversation, this patch follows up on the initial stab
at nonce changes in https://codereview.chromium.org/2628733005 in two
ways:

1.  It fixes some bits and pieces of SVGScriptElement handling that were
    simply broken in the initial patch (e.g. the 'nonce' attribute wasn't
    actually exposed via IDL), and adds SVG-based tests.

2.  We no longer clear the nonce value after execution; we're already
    preventing re-execution of a script block with a check in
    'ScriptLoader::prepareScript' so there's little added value in
    removing the nonce, but it incurs some non-trivial cost by making
    manual nonce propagation difficult.

BUG=680419
R=jochen@chromium.org
==========

to

==========
Adjust the <script nonce>-hiding experiment

After a bit more conversation, this patch follows up on the initial stab
at attribute changes in https://codereview.chromium.org/2628733005 in two
ways:

1.  It fixes some bits and pieces of SVGScriptElement handling that were
    simply broken in the initial patch (e.g. the 'nonce' attribute wasn't
    actually exposed via IDL), and adds SVG-based tests.

2.  We no longer clear the nonce value after execution; we're already
    preventing re-execution of a script block with a check in
    'ScriptLoader::prepareScript' so there's little added value in
    removing the nonce, but it incurs some non-trivial cost by making
    manual nonce propagation difficult.

BUG=680419
R=jochen@chromium.org
==========

[Mike West, 2017-01-20 11:33:44]

mkwst@chromium.org changed reviewers:
+ lwe@google.com

[Mike West, 2017-01-20 11:33:45]

Jochen, based on some conversation with lwe@, this seems like the right
direction for us to propose. Mind taking a look?

[jochen (gone - plz use gerrit), 2017-01-20 11:58:46]

lgtm

[lwe, 2017-01-20 12:04:22]

lgtm

[Mike West, 2017-01-20 12:55:36]

The CQ bit was checked by mkwst@chromium.org

[Mike West, 2017-01-20 12:55:36]

The patchset sent to the CQ was uploaded after l-g-t-m from lwe@google.com,
jochen@chromium.org
Link to the patchset: https://codereview.chromium.org/2644143005/#ps20001
(title: "webexposed")

[commit-bot: I haz the power, 2017-01-20 12:55:52]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-20 14:29:06]

CQ is committing da patch.

Bot data: {"patchset_id": 20001, "attempt_start_ts": 1484916936170080,
"parent_rev": "f5e28f75a5aa8e2b6216637df60a96d0199193c5", "commit_rev":
"a7a3f277b70327d2fd2f383acba1b1c2c78f018c"}

[commit-bot: I haz the power, 2017-01-20 14:29:40]

Description was changed from

==========
Adjust the <script nonce>-hiding experiment

After a bit more conversation, this patch follows up on the initial stab
at attribute changes in https://codereview.chromium.org/2628733005 in two
ways:

1.  It fixes some bits and pieces of SVGScriptElement handling that were
    simply broken in the initial patch (e.g. the 'nonce' attribute wasn't
    actually exposed via IDL), and adds SVG-based tests.

2.  We no longer clear the nonce value after execution; we're already
    preventing re-execution of a script block with a check in
    'ScriptLoader::prepareScript' so there's little added value in
    removing the nonce, but it incurs some non-trivial cost by making
    manual nonce propagation difficult.

BUG=680419
R=jochen@chromium.org
==========

to

==========
Adjust the <script nonce>-hiding experiment

After a bit more conversation, this patch follows up on the initial stab
at attribute changes in https://codereview.chromium.org/2628733005 in two
ways:

1.  It fixes some bits and pieces of SVGScriptElement handling that were
    simply broken in the initial patch (e.g. the 'nonce' attribute wasn't
    actually exposed via IDL), and adds SVG-based tests.

2.  We no longer clear the nonce value after execution; we're already
    preventing re-execution of a script block with a check in
    'ScriptLoader::prepareScript' so there's little added value in
    removing the nonce, but it incurs some non-trivial cost by making
    manual nonce propagation difficult.

BUG=680419
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2644143005
Cr-Commit-Position: refs/heads/master@{#445049}
Committed:
https://chromium.googlesource.com/chromium/src/+/a7a3f277b70327d2fd2f383acba1...
==========

[commit-bot: I haz the power, 2017-01-20 14:29:41]

Committed patchset #2 (id:20001) as
https://chromium.googlesource.com/chromium/src/+/a7a3f277b70327d2fd2f383acba1...