Support `allow` attributes on `<script>`s

[MartijnCuppens]

What problem are you trying to solve?

Should we support the allow attribute on scripts, like we do on <iframe>s? Or is there a better alternative for per script permissions?

https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement/allow

<!-- Don't allow geolocation for this external script: -->
<srcipt src="https://example.com/script.js" allow="geolocation 'none'"></srcipt>

[annevk]

It's not clear how this would work.

[MartijnCuppens]

The Permissions Policy specified by the allow attribute implements a further restriction on top of the policy specified in the Permissions-Policy header of the current document. It doesn't replace it, just like the effect of allow on iframes.

[annevk]

In particular it's not clear how you tie some script that is executing back to its script element. That's not a concept that exists. E.g., what if this script creates some elements with event handlers that invoke the relevant permissions?