Close #384: add CSP hooks to handle inline events and style

The "Should element's inline behavior be blocked by CSP?" algorithm now
accepts a "type", and can handle event handlers and style attributes.
This patch adds the relevant hooks to the handling of those two
features, and updates the existing hooks for inline `<script>` and
`<style>` elements themselves.

Author: mikewest

source

@@ -10873,6 +10873,12 @@ Transport Protocol">HTTP&lt;/abbr> today.&lt;/p></pre> <!-- DO NOT REWRAP THIS L
   according to the rules given for <span data-x="CSS styling attribute">CSS styling
   attributes</span>. <ref spec=CSSATTR></p>
 
+  <p>However, if the <span>Should element's inline behavior be blocked by Content Security
+  Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
+  attribute's <span>element</span> and "<code data-x="">style attribute</code>", then the style
+  rules defined in the attribute's value must not be applied to the <span>element</span>. <ref
+  spec="CSP"></p>
+
   </div>
 
   <p>Documents that use <code data-x="attr-style">style</code> attributes on any of their elements
@@ -13295,7 +13301,8 @@ own thing rather than part of the extended sentence -->
 
    <li><p>If the <span>Should element's inline behavior be blocked by Content Security
    Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
-   <code>style</code> element, then abort these steps. <ref spec="CSP"></p></li>
+   <code>style</code> element and "<code data-x="">style</code>", then abort these steps.
+   <ref spec="CSP"></p></li>
 
    <!-- note that the browsing context isn't needed: http://software.hixie.ch/utilities/js/live-dom-viewer/saved/2739 -->
 
@@ -59287,10 +59294,11 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {
    </li>
 
    <li id="script-processing-csp"><p>If the <code>script</code> element does not have a <code
-   data-x="attr-script-src">src</code> content attribute, and the <span>Should node's inline
+   data-x="attr-script-src">src</code> content attribute, and the <span>Should element's inline
    behavior be blocked by Content Security Policy?</span> algorithm returns "<code
-   data-x="">Blocked</code>" when executed upon the <code>script</code> element, then the user
-   agent must abort these steps. The script is not executed. <ref spec="CSP"></p></li>
+   data-x="">Blocked</code>" when executed upon the <code>script</code> element and "<code
+   data-x="">script</code>", then the user agent must abort these steps. The script is not executed.
+   <ref spec="CSP"></p></li>
 
    <li id="script-processing-for">
 
@@ -87138,9 +87146,18 @@ dictionary <dfn>PromiseRejectionEventInit</dfn> : <span>EventInit</span> {
   <div w-nodev>
 
   <p>When an <span data-x="event handler content attributes">event handler content attribute</span>
-  is set, the user agent must set the corresponding <span data-x="event handlers">event
-  handler</span> to an <span>internal raw uncompiled handler</span> consisting of the attribute's
-  new value and the script location where the attribute was set to this value</p>
+  is set, execute the following steps:</p>
+
+  <ol>
+   <li><p>If the <span>Should element's inline behavior be blocked by Content Security
+   Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon the
+   attribute's <span>element</span> and "<code data-x="">script attribute</code>", then abort these
+   steps. <ref spec="CSP"></p></li>
+
+   <li><p>Set the corresponding <span data-x="event handlers">event handler</span> to an
+   <span>internal raw uncompiled handler</span> consisting of the attribute's new value and the
+   script location where the attribute was set to this value</p></li>
+  </ol>
 
   <p>When an event handler content attribute is removed, the user agent must set the corresponding
   <span data-x="event handlers">event handler</span> to null.</p>