script: Implement document's active sandboxing flag set (#39079)

Implements document's active sandboxing flags. These are currently
populated only from CSP-derived sandboxing flags for a new document,
when defined in the CSP.

Testing: 1 new pass, and some new wpt's are added to test points in the
spec where these flags influence behaviour.

Signed-off-by: Shane Handley <shanehandley@fastmail.com>

tests/wpt/meta/MANIFEST.json

@@ -403717,6 +403717,14 @@
      ]
     },
     "sandbox": {
+     "autoplay-disabled-by-csp.html.headers": [
+      "32518e57d4584de71845a9260b093c3535fc3074",
+      []
+     ],
+     "form-submission-blocked-by-sandboxing.html.headers": [
+      "1efcf8c226fac074c98d0a5a747856f532e5d84e",
+      []
+     ],
      "support": {
       "empty.html": [
        "e69de29bb2d1d6434b8b29ae775ad8c2e48c5391",
@@ -581697,6 +581705,20 @@
      ]
     },
     "sandbox": {
+     "autoplay-disabled-by-csp.html": [
+      "d7bd453a34c0e75c98c837f853c0cf492359625a",
+      [
+       null,
+       {}
+      ]
+     ],
+     "form-submission-blocked-by-sandboxing.html": [
+      "4c717a18fd8bfa9d5cb4bc5449b0f25498ccb754",
+      [
+       null,
+       {}
+      ]
+     ],
      "iframe-inside-csp.sub.html": [
       "cd402bdba0198bf763e1733004c2005614b9a542",
       [

tests/wpt/meta/html/browsers/origin/relaxing-the-same-origin-restriction/sandboxed-document_domain.html.ini

@@ -1,3 +0,0 @@
-[sandboxed-document_domain.html]
-  [Sandboxed document.domain]
-    expected: FAIL

tests/wpt/tests/content-security-policy/sandbox/autoplay-disabled-by-csp.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+  <head>
+  <link rel="help" href="https://html.spec.whatwg.org/multipage/#eligible-for-autoplay" />
+  <title>Test that autoplay is blocked by a document's active sandboxing flags</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/common/media.js"></script>
+  </head>
+  <body>
+    <video id="v" autoplay></video>
+    <script>
+      async_test((t) => {
+        var v = document.getElementById('v')
+
+        v.addEventListener('playing', t.unreached_func(
+          'video should not autoplay due to sandboxing flags'
+        ));
+
+        v.src = getVideoURI('/media/movie_5') + '?' + new Date() + Math.random()
+        t.step_timeout(() => t.done(), 500);
+      }, 'csp-derived sandboxing flags prevent autoplay.')
+    </script>
+  </body>
+</html>

tests/wpt/tests/content-security-policy/sandbox/autoplay-disabled-by-csp.html.headers

@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-forms

tests/wpt/tests/content-security-policy/sandbox/form-submission-blocked-by-sandboxing.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+  <head>
+  <link rel="help" href="https://html.spec.whatwg.org/multipage/#concept-form-submit">
+  <title>Test that form submission is blocked by a document's active sandboxing flags</title>
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+    <form id="f">
+      <input type="hidden" value="test" />
+    </form>
+    <script>
+      async_test((t) => {
+        var f = document.getElementById('f')
+
+        f.addEventListener('submit', t.unreached_func(
+          'form should not be submitted due to sandboxing flags'
+        ));
+
+        f.submit();
+        t.step_timeout(() => t.done(), 500);
+      }, 'csp-derived sandboxing flags prevent form submission.')
+    </script>
+  </body>
+</html>

tests/wpt/tests/content-security-policy/sandbox/form-submission-blocked-by-sandboxing.html.headers

@@ -0,0 +1 @@
+Content-Security-Policy: sandbox allow-scripts