Bug 1843002 - Add nonce to ScriptFetchOptions. r=allstarschh,smaug

Differential Revision: https://phabricator.services.mozilla.com/D183365

dom/script/ModuleLoader.cpp

@@ -271,6 +271,9 @@ already_AddRefed<ModuleLoadRequest> ModuleLoader::CreateDynamicImport(
   RefPtr<ScriptLoadContext> context = new ScriptLoadContext();
 
   if (aMaybeActiveScript) {
+    // https://html.spec.whatwg.org/multipage/webappapis.html#hostloadimportedmodule
+    // Step 6.3. Set fetchOptions to the new descendant script fetch options for
+    // referencingScript's fetch options.
     options = aMaybeActiveScript->GetFetchOptions();
     baseURL = aMaybeActiveScript->BaseURL();
   } else {
@@ -285,8 +288,18 @@ already_AddRefed<ModuleLoadRequest> ModuleLoader::CreateDynamicImport(
                   BasePrincipal::Cast(principal)->ContentScriptAddonPolicy());
     MOZ_ASSERT_IF(GetKind() == Normal, principal == document->NodePrincipal());
 
-    options = new ScriptFetchOptions(
-        mozilla::CORS_NONE, document->GetReferrerPolicy(), principal, nullptr);
+    // https://html.spec.whatwg.org/multipage/webappapis.html#hostloadimportedmodule
+    // Step 4. Let fetchOptions be the default classic script fetch options.
+    //
+    // https://html.spec.whatwg.org/multipage/webappapis.html#default-classic-script-fetch-options
+    // The default classic script fetch options are a script fetch options whose
+    // cryptographic nonce is the empty string, integrity metadata is the empty
+    // string, parser metadata is "not-parser-inserted", credentials mode is
+    // "same-origin", referrer policy is the empty string, and fetch priority is
+    // "auto".
+    options = new ScriptFetchOptions(mozilla::CORS_NONE,
+                                     document->GetReferrerPolicy(),
+                                     /* aNonce = */ u""_ns, principal, nullptr);
     baseURL = document->GetDocBaseURI();
   }