Description

This is a followup to gh-4948. In gh-4949, we stopped stringifying attributes which makes setting the src attribute on a script tag work under trusted types TrustedScriptURL enforcement via Content Security Policy. However, such scripts are still blocked. This is because in domManip scripts are not inserted directly but instead first disabled and then their src attributes are read and inserted in fresh scripts.

There's probably not much we can do when the scripts are deep inside of the inserted HTML string - natively scripts would not fire then but jQuery does execute them which will not work here. However, we could at least make .append(scriptElem) work by forking the code path and treating such top-level scripts independently.

Link to test case

This test is failing:
https://github.com/mgol/jquery/blob/2ba71fa76c09fad476669a320294edeca6b5513c/test/data/trusted-types-attributes.html#L27-L31

For posterity, JS source, more or less:

const policy = trustedTypes.createPolicy( "jquery-test-policy", {
	createScriptURL: function( html ) {
		return html;
	}
} );

const elem = jQuery( "<script></script>" )
	.attr( "src", policy.createScriptURL( "trusted-types-attributes.js" ) );
elem.appendTo( document.body );

The expectation is the trusted-types-attributes.js script is executed but currently it is not if the header:

Content-Security-Policy: require-trusted-types-for 'script'

is set.