Disable scripting when sandbox flag is set (#39163)

While I adding spec comments to the CSP crate, I discovered two issues:
1. We should only use the last sandbox value (WPT test added)
2. We weren't checking for the scripting sandbox flag in document

Also, the autoplay test should have allowed scripts to run, otherwise
the test doesn't run. Since we weren't checking the flag before, the
test ran fine for Servo. However, it wouldn't run for other browsers.

Also realized that an existing test was pointing to a non-existent file
(since it doesn't have `.sub`). Updated that and confirmed that in other
browsers it now properly works (it no longer shows a 404). However,
Servo now fails that test as we don't fire an load event.

Part of #913

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

components/script/dom/document.rs

@@ -357,9 +357,6 @@ pub(crate) struct Document {
     asap_in_order_scripts_list: PendingInOrderScriptVec,
     /// <https://html.spec.whatwg.org/multipage/#set-of-scripts-that-will-execute-as-soon-as-possible>
     asap_scripts_set: DomRefCell<Vec<Dom<HTMLScriptElement>>>,
-    /// <https://html.spec.whatwg.org/multipage/#concept-n-noscript>
-    /// True if scripting is enabled for all scripts in this document
-    scripting_enabled: bool,
     /// <https://html.spec.whatwg.org/multipage/#animation-frame-callback-identifier>
     /// Current identifier of animation frame callback
     animation_frame_ident: Cell<u32>,
@@ -1115,14 +1112,17 @@ impl Document {
     }
 
     /// Return whether scripting is enabled or not
-    pub(crate) fn is_scripting_enabled(&self) -> bool {
-        self.scripting_enabled
-    }
-
-    /// Return whether scripting is enabled or not
-    /// <https://html.spec.whatwg.org/multipage/#concept-n-noscript>
+    /// <https://html.spec.whatwg.org/multipage/#concept-n-script>
     pub(crate) fn scripting_enabled(&self) -> bool {
-        self.has_browsing_context()
+        // Scripting is enabled for a node node if node's node document's browsing context is non-null,
+        // and scripting is enabled for node's relevant settings object.
+        self.has_browsing_context() &&
+        // Either settings's global object is not a Window object,
+        // or settings's global object's associated Document's active sandboxing flag
+        // set does not have its sandboxed scripts browsing context flag set.
+            !self.has_active_sandboxing_flag(
+                SandboxingFlagSet::SANDBOXED_SCRIPTS_BROWSING_CONTEXT_FLAG,
+            )
     }
 
     /// Return the element that currently has focus.
@@ -3365,7 +3365,6 @@ impl Document {
             deferred_scripts: Default::default(),
             asap_in_order_scripts_list: Default::default(),
             asap_scripts_set: Default::default(),
-            scripting_enabled: has_browsing_context,
             animation_frame_ident: Cell::new(0),
             animation_frame_list: DomRefCell::new(VecDeque::new()),
             running_animation_callbacks: Cell::new(false),

components/script/dom/eventtarget.rs

@@ -720,7 +720,7 @@ impl EventTarget {
         };
 
         // Step 3.2
-        if !document.is_scripting_enabled() {
+        if !document.scripting_enabled() {
             return None;
         }
 

components/script/dom/html/htmlscriptelement.rs

@@ -688,7 +688,7 @@ impl HTMLScriptElement {
         }
 
         // Step 17. If scripting is disabled for el, then return.
-        if !doc.is_scripting_enabled() {
+        if !doc.scripting_enabled() {
             return;
         }
 
@@ -1093,7 +1093,7 @@ impl HTMLScriptElement {
         // TODO use a settings object rather than this element's document/window
         // Step 2
         let document = self.owner_document();
-        if !document.is_fully_active() || !document.is_scripting_enabled() {
+        if !document.is_fully_active() || !document.scripting_enabled() {
             return;
         }
 
@@ -1130,7 +1130,7 @@ impl HTMLScriptElement {
         // TODO use a settings object rather than this element's document/window
         // Step 2
         let document = self.owner_document();
-        if !document.is_fully_active() || !document.is_scripting_enabled() {
+        if !document.is_fully_active() || !document.scripting_enabled() {
             return;
         }