Add referrerpolicy attribute support to <script>s

Closes w3c/webappsec-referrer-policy#96.

Tests: web-platform-tests/wpt#10976 (see also
web-platform-tests/wpt#11023).

source

@@ -57401,6 +57401,7 @@ interface <dfn>HTMLDialogElement</dfn> : <span>HTMLElement</span> {
    <dd><code data-x="attr-script-defer">defer</code></dd>
    <dd><code data-x="attr-script-crossorigin">crossorigin</code></dd>
    <dd><code data-x="attr-script-integrity">integrity</code></dd>
+   <dd><code data-x="attr-script-referrerpolicy">referrerpolicy</code></dd>
    <dt><span data-x="concept-element-dom">DOM interface</span>:</dt>
    <dd w-nodev>
     <pre class="idl">[Exposed=Window,
@@ -57414,6 +57415,7 @@ interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
   [<span>CEReactions</span>] attribute DOMString? <span data-x="dom-script-crossOrigin">crossOrigin</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-script-text">text</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-script-integrity">integrity</span>;
+  [<span>CEReactions</span>] attribute DOMString <span data-x="dom-script-referrerPolicy">referrerPolicy</span>;
 
 };</pre>
    </dd>
@@ -57478,8 +57480,9 @@ interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
   defined for the format used. The <code data-x="attr-script-src">src</code>, <code
   data-x="attr-script-async">async</code>, <code data-x="attr-script-nomodule">nomodule</code>,
   <code data-x="attr-script-defer">defer</code>, <code
-  data-x="attr-script-crossorigin">crossorigin</code>, and <code
-  data-x="attr-script-integrity">integrity</code> attributes must not be specified.</p>
+  data-x="attr-script-crossorigin">crossorigin</code>, <code
+  data-x="attr-script-integrity">integrity</code>, and <code
+  data-x="attr-script-referrerpolicy">referrerpolicy</code> attributes must not be specified.</p>
 
   <p>The <dfn><code data-x="attr-script-nomodule">nomodule</code></dfn> attribute is a <span>boolean
   attribute</span> that prevents a script from being executed in user agents that support
@@ -57560,11 +57563,27 @@ interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
   <span>module script</span> or when the <code data-x="attr-script-src">src</code> attribute is not
   specified. <ref spec="SRI"></p>
 
+  <p>The <dfn><code data-x="attr-script-referrerpolicy">referrerpolicy</code></dfn> attribute is a
+  <span>referrer policy attribute</span>. Its purpose is to set the <span>referrer policy</span>
+  used when <span data-x="concept-fetch">fetching</span> the script, as well as any scripts imported
+  from it. <ref spec=REFERRERPOLICY></p>
+
+  <div class="example">
+   <p>An example of a &lt;script>'s referrer policy being used when fetching imported scripts but
+   not other subresources.</p>
+
+   <pre>&lt;script src="main.js" referrerpolicy="origin">
+  fetch('/api/data');   // not fetched with &lt;script>'s referrer policy
+  import('./utils.js'); // is fetched with &lt;script>'s referrer policy ("origin" in this case)
+&lt;/script></pre>
+  </div>
+
   <p>Changing the <code data-x="attr-script-src">src</code>, <code
   data-x="attr-script-type">type</code>, <code data-x="attr-script-nomodule">nomodule</code>, <code
   data-x="attr-script-async">async</code>, <code data-x="attr-script-defer">defer</code>, <code
-  data-x="attr-script-crossorigin">crossorigin</code>, and <code
-  data-x="attr-script-integrity">integrity</code> attributes dynamically has no direct effect; these
+  data-x="attr-script-crossorigin">crossorigin</code>, <code
+  data-x="attr-script-integrity">integrity</code>, and <code
+  data-x="attr-script-referrerpolicy">referrerpolicy</code> attributes dynamically has no direct effect; these
   attributes are only used at specific times described below.</p> <!-- by implication, changes to
   the base URL also have no effect -->
 
@@ -57576,6 +57595,10 @@ interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
   data-x="dom-script-integrity">integrity</code></dfn>, must each <span>reflect</span> the
   respective content attributes of the same name.</p>
 
+  <p>The <dfn><code data-x="dom-script-referrerPolicy">referrerPolicy</code></dfn> IDL attribute must
+  <span>reflect</span> the <code data-x="attr-script-referrerpolicy">referrerpolicy</code> content
+  attribute, <span>limited to only known values</span>.</p>
+
   <p>The <dfn><code data-x="dom-script-crossOrigin">crossOrigin</code></dfn> IDL attribute must
   <span>reflect</span> the <code data-x="attr-script-crossorigin">crossorigin</code> content
   attribute, <span>limited to only known values</span>.</p>
@@ -58072,25 +58095,21 @@ o............A....e
 
    </li>
 
+   <li><p>Let <var>referrer policy</var> be the current state of the element's <code
+   data-x="attr-script-referrerpolicy">referrerpolicy</code> content attribute.</p></li>
+
    <li><p>Let <var>parser metadata</var> be "<code data-x="">parser-inserted</code>" if the
    <code>script</code> element has been flagged as <span>"parser-inserted"</span>, and
    "<code data-x="">not-parser-inserted</code>" otherwise.</p></li>
 
-   <li>
-    <p>Let <var>options</var> be a <span>script fetch options</span> whose <span
-    data-x="concept-script-fetch-options-nonce">cryptographic nonce</span> is <var>cryptographic
-    nonce</var>, <span data-x="concept-script-fetch-options-integrity">integrity metadata</span> is
-    <var>integrity metadata</var>, <span data-x="concept-script-fetch-options-parser">parser
-    metadata</span> is <var>parser metadata</var>, <span
-    data-x="concept-script-fetch-options-credentials">credentials mode</span> is <var>module script
-    credentials mode</var>, and <span data-x="concept-script-fetch-options-referrer-policy">referrer
-    policy</span> is the empty string.</p>
-
-    <p class="note">See <a
-    href="https://github.com/w3c/webappsec-referrer-policy/issues/96">w3c/webappsec-referrer-policy#96</a>
-    for future plans to add a <code data-x="">referrerpolicy</code> attribute to <code>script</code>
-    elements.
-   </p>
+   <li><p>Let <var>options</var> be a <span>script fetch options</span> whose <span
+   data-x="concept-script-fetch-options-nonce">cryptographic nonce</span> is <var>cryptographic
+   nonce</var>, <span data-x="concept-script-fetch-options-integrity">integrity metadata</span> is
+   <var>integrity metadata</var>, <span data-x="concept-script-fetch-options-parser">parser
+   metadata</span> is <var>parser metadata</var>, <span
+   data-x="concept-script-fetch-options-credentials">credentials mode</span> is <var>module script
+   credentials mode</var>, and <span data-x="concept-script-fetch-options-referrer-policy">referrer
+   policy</span> is <var>referrer policy</var>.</p></li>
 
    <li><p>Let <var>settings object</var> be the element's <span>node document</span>'s
    <code>Window</code> object's <span>environment settings object</span>.</p></li>
@@ -86799,7 +86818,7 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
   a script">preparing a script</span>, and should not be used directly by other specifications.</p>
 
   <p>To perform the <dfn>internal module script graph fetching procedure</dfn> given a
-  <var>url</var>, a <var>fetch client settings object</var>, a <var>destination</var>, a some
+  <var>url</var>, a <var>fetch client settings object</var>, a <var>destination</var>, some
   <var>options</var>, a <var>module map settings object</var>, a <var>visited set</var>, a
   <var>referrer</var>, and a <var>top-level module fetch</var> flag, perform these steps. The
   algorithm will asynchronously complete with either null (on failure) or a <span>module
@@ -116716,7 +116735,8 @@ interface <dfn>External</dfn> {
          <code data-x="attr-script-async">async</code>;
          <code data-x="attr-script-defer">defer</code>;
          <code data-x="attr-script-crossorigin">crossorigin</code>;
-         <code data-x="attr-script-integrity">integrity</code></td>
+         <code data-x="attr-script-integrity">integrity</code>;
+         <code data-x="attr-script-referrerpolicy">referrerpolicy</code></td>
      <td><code>HTMLScriptElement</code></td>
     </tr>
 
@@ -118234,7 +118254,8 @@ interface <dfn>External</dfn> {
           <code data-x="attr-hyperlink-referrerpolicy">area</code>;
           <code data-x="attr-iframe-referrerpolicy">iframe</code>;
           <code data-x="attr-img-referrerpolicy">img</code>;
-          <code data-x="attr-link-referrerpolicy">link</code>
+          <code data-x="attr-link-referrerpolicy">link</code>;
+          <code data-x="attr-script-referrerpolicy">script</code>
      <td> <span>Referrer policy</span> for <span data-x="concept-fetch">fetches</span> initiated by the element
      <td> <span>Referrer policy</span>
     <tr>