Merge nonce hiding subfeature into nonce

[Elchi3]

Summary

I created this structure originally, but I don't like it. The implementation of the nonce attribute is complete when browsers implement it fully, so that also means nonce hiding.

We can argue if we want version ranges and partial support for Firefox 31-75 and Safari 15.4-15.5 when there was no nonce hiding, but maybe that's not too interesting anymore. Happy to add it if you want me to, though.

Test results and supporting details

Data remains the same, just no sub feature anymore.
Collector can more easily test this entry

Related issues

None open, I think.

[github-actions]

Tip: Review these changes grouped by change (recommended for most PRs), or grouped by feature (for large PRs).

[caugner]

I created this structure originally, but I don't like it. The implementation of the nonce attribute is complete when browsers implement it fully, so that also means nonce hiding.

@Elchi3 Hm, I looked into the spec once more, and found a reference to this spec issue, which was resolved by this spec PR. So it seems that this behavior was later added to the spec, justifying a subfeature!?

[Elchi3]

I was reading our docs and given Firefox is the single engine with a bug present over a longer period of time, it seems like we're in the described situation:

Behavioral subfeatures are rare. Do not create a subfeature when the behavioral subfeature's support data would be the same, across all browsers, as the parent feature. For serious bugs affecting a single engine, consider using partial_implementation instead.

[caugner]

Let's get a third opinion from @ddbeck here.

Strictly speaking, as Safari support for nonce hiding has a different version (15.5) than initial nonce support (15.4), the cited paragraph doesn't apply. Also, it could be considered this valid case:

Behavioral evolution that is not readily feature detectable. This type of behavioral subfeature typically describes consequences of specification changes that appeared after the feature first shipped in one or more browsers or user interface changes that appeared after implementers learned more about the specification.

On the other hand, given nonce hiding landed only one release after the parent feature, it is fair to not consider this a behavioral evolution.

[caugner]

Could this link to https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Global_attributes/nonce#accessing_nonces_and_nonce_hiding or better describe the impact for web developers?

[ddbeck]

I like dropping this subfeature and marking it as partial.

I would argue that nonce hiding is not a feature because it's a new narrowing on how developers can access nonce values. In the unlikely event that a developer was intentionally reading nonce values that would have been hidden, then that use might've been broken on the first day any browser shipped nonce hiding. It's more like a feature presented in reverse, something like nonce_values_in_css (or whatever) that is deprecated and removed over time.

If this weren't an attack vector, I might suggest that nonce hiding is only noteworthy (not subfeature or partial implementation worthy). But it is an attack vector, so I think it makes sense to treat the previous implementations as partial (albeit retroactively so). I'd also make the wording stronger, which I've suggested in a line comment.