[Embedded Enforcement] Introduce a way to only validate nonce usage

[shhnjk]

When using CSP Embedded Enforcement, embedder maybe only interested in enforcing nonce-based CSP, but doesn't care much about what the nonce value is.

From reading existing spec, it seems like exact nonce value has to match, which introduces complexity to embeddee, where it has to parse request header and apply same nonce value to its document.

We probably should introduce a way to validate that the nonce is being used in embeddee, but makes no actual value checks.

Example:

<iframe src="https://example.tld" csp="script-src 'enforce-nonce'"></iframe>

[antosart]

According to the spec, nonces do not have to match, see https://w3c.github.io/webappsec-cspee/#subsume-source-expressions §4.1 (and in particular the note).

In practice, specifying 'nonce-xxx' for any xxx in the csp attribute has the effect of the keyword 'enforce-nonce' you are proposing.

We could think of having such a keyword instead, since it could be less confusing for developers.

[shhnjk]

Good to know, thanks!