Allow embedded <script> tags to have attributes added

Problem/Motivation

We've been using Security Kit with the semi-automatic nonce patch from issue 3245008 ✨ Implement a "semi automatic" Nonce settings Needs work . We can't display embedded H5Ps because the embed code is generated client-side and won't use the nonce from the document.

If we use the embed endpoint we could alter the output using an EventSubscriber to inject the nonce into the iframed contents, but this won't work when the iframe is dynamically rendered into the page.

Steps to reproduce

• Enable H5P and Security Kit
• Apply nonce patch
• Set up new H5P node
• Try and display node

Proposed resolution

This is a tough one because the nonce should be securely managed the whole way down. We can't fetch it from other <script> elements on the page because the browser won't let us; in any case, the H5P integration script is not set up to allow injected style or script elements to be modified prior to rendering.

Remaining tasks

I'll have to figure out the approach needed before this can be appropriately tackled.

User interface changes

None.

API changes

May be some required to pass through nonce or modify markup.

Data model changes

None.