Figure out if there is a better way to guard navigations to javascript: across documents

[koto]

Related to #357 as cross-window navigations can be triggered from svg:use-loaded documents.

TT protect the navigation to javascript: a bit differently than script-src.

• require-trusted-types-for directive only uses pre-navigation check
• script-src directive uses inline check

As a consequence, require-trusted-types-for will not stop a <a target=somewindow href=javascript:foo> if a target window does not have the require-trusted-types-for (poc). script-src will stop such navigation (poc). That was described in https://microsoftedge.github.io/edgevr/posts/eliminating-xss-with-trusted-types/#cross-document-vectors.

It's not yet clear to me why is the navigation under script-src blocked, but it would be nice to be able to align with this, if possible.

[shhnjk]

I looked into this, and I don't think this is a spec bug but rather an implementation bug.
Currently, there is only check at the time of executing javascript: url, which doesn't match the spec.

I drafted a CL to match inline check in CSP, which resolves this bypass. However, that requires changing a spec to match the implementation if I commit it.

Therefore, I'll try to look for a way to implement a fix that matches current TT spec and see if that also resolve this issue.

For now, closing this issue as an implementation issue rather than a spec issue.