Reland of "CSP: Block nonces for elements with duplicate attributes."

Docs have fixed their duplicate nonces b/70010257
Initial CR: https://chromium-review.googlesource.com/c/chromium/src/+/566822/
Spec: https://github.com/whatwg/html/issues/3257

Bug: 908207
Change-Id: I95be2e84d216147483bfdf816878fe4058451065
Reviewed-on: https://chromium-review.googlesource.com/c/1356984Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#613099}

third_party/blink/renderer/core/frame/csp/content_security_policy.cc

@@ -112,11 +112,12 @@ bool ContentSecurityPolicy::IsNonceableElement(const Element* element) {
   // element: if their names or values contain "<script" or "<style", we won't
   // apply the nonce when loading script.
   //
-  // TODO(mkwst): We'll should also skip elements for which the HTML parser
-  // dropped attributes: https://crbug.com/740615 and https://crbug.com/790955.
-  //
   // See http://blog.innerht.ml/csp-2015/#danglingmarkupinjection for an example
   // of the kind of attack this is aimed at mitigating.
+
+  if (element->HasDuplicateAttribute())
+    nonceable = false;
+
   if (nonceable) {
     static const char kScriptString[] = "<SCRIPT";
     static const char kStyleString[] = "<STYLE";

third_party/blink/web_tests/external/wpt/content-security-policy/script-src/nonce-enforce-blocked-expected.txt

-This is a testharness.js-based test.
-FAIL Unnonced scripts generate reports. assert_unreached: Duplicate attribute, no execution. Reached unreachable code
-Harness: the test ran to completion.
-