More tweaks to <script nonce> hiding.

third_party/WebKit/Source/core/dom/ScriptLoader.cpp

Index: third_party/WebKit/Source/core/dom/ScriptLoader.cpp
diff --git a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
index 4622be44229ed367a3eb51bc199c9da9b8e43f12..a81881279666d1774fb360fbf399d9a324d02e38 100644
--- a/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
+++ b/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
@@ -520,8 +520,7 @@ bool ScriptLoader::FetchScript(const String& source_url,
     // 17. "If the script element has a nonce attribute,
     //      then let cryptographic nonce be that attribute's value.
     //      Otherwise, let cryptographic nonce be the empty string."

[kouhei (in TOK), 2017/04/11 12:24:18]

Would you update the spec text here to match:
https://github.com/whatwg/html/pull/2373/files#diff-36cd38f49b9afa08222c0dc9e...

-    if (element_->IsNonceableElement())
-      request.SetContentSecurityPolicyNonce(element_->nonce());
+    request.SetContentSecurityPolicyNonce(element_->GetNonceForElement());
 
     // 19. "Let parser state be "parser-inserted"
     //      if the script element has been flagged as "parser-inserted",
@@ -666,8 +665,7 @@ bool ScriptLoader::DoExecuteScript(const ScriptSourceCode& source_code) {
       csp->AllowScriptWithHash(source_code.Source(),
                                ContentSecurityPolicy::InlineType::kBlock);
 
-  AtomicString nonce =
-      element_->IsNonceableElement() ? element_->nonce() : g_null_atom;
+  const AtomicString& nonce = element_->GetNonceForElement();
   if (!is_external_script_ && !should_bypass_main_world_csp &&
       !element_->AllowInlineScriptForCSP(nonce, start_line_number_,
                                          source_code.Source())) {