Fix and clarify some [CEReactions] annotations

Closes #3887, for nonce="". Closes #3889, for textarea's value="".

Author: domenic

source

@@ -7117,6 +7117,15 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
   value of this element's <span>[[CryptographicNonce]]</span>; and on setting, set this element's
   <span>[[CryptographicNonce]]</span> to the given value.</p>
 
+  <p class="note" id="nonce-does-not-update-dom">Note how the setter for the <code
+  data-x="dom-HTMLOrSVGElement-nonce">nonce</code> IDL attribute does not update the corresponding
+  content attribute. This, as well as the below setting of the <code
+  data-x="attr-nonce">nonce</code> content attribute to the empty string when an element
+  <span>becomes browsing-context connected</span>, is meant to prevent exfiltration of the nonce
+  value through mechanisms that can easily read content attributes, such as selectors. Learn more in
+  <a href="https://github.com/whatwg/html/issues/2369">issue #2369</a>, where this behavior was
+  introduced.</p>
+
   <p>Whenever an element including <code>HTMLOrSVGElement</code> has its <code
   data-x="attr-nonce">nonce</code> attribute is set or changed, set this element's
   <span>[[CryptographicNonce]]</span> to the given value.</p>
@@ -10236,7 +10245,7 @@ interface <dfn>HTMLUnknownElement</dfn> : <span>HTMLElement</span> { };</code></
 
   <pre><code class="idl" data-x="">interface mixin <dfn>HTMLOrSVGElement</dfn> {
   [SameObject] readonly attribute <span>DOMStringMap</span> <span data-x="dom-dataset">dataset</span>;
-  attribute DOMString <span data-x="dom-HTMLOrSVGElement-nonce">nonce</span>;
+  attribute DOMString <span data-x="dom-HTMLOrSVGElement-nonce">nonce</span>; // <a href="#nonce-does-not-update-dom">intentionally no [CEReactions]</a>
 
   [<span>CEReactions</span>] attribute long <span data-x="dom-tabindex">tabIndex</span>;
   void <span data-x="dom-focus">focus</span>(optional <span>FocusOptions</span> options);
@@ -50828,7 +50837,7 @@ interface <dfn>HTMLTextAreaElement</dfn> : <span>HTMLElement</span> {
 
   readonly attribute DOMString <span data-x="dom-textarea-type">type</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-textarea-defaultValue">defaultValue</span>;
-  [<span>CEReactions</span>] attribute [TreatNullAs=EmptyString] DOMString <span data-x="dom-textarea-value">value</span>;
+  attribute [TreatNullAs=EmptyString] DOMString <span data-x="dom-textarea-value">value</span>;
   readonly attribute unsigned long <span data-x="dom-textarea-textLength">textLength</span>;
 
   readonly attribute boolean <span data-x="dom-cva-willValidate">willValidate</span>;