Reject nonces, hashes and remote values, at least in script-src-elem and script-src-attr

[Rob--W]

In #3007 the issue was raised that the linter doesn't recognize script-src-elem and script-src-attr. In #4452 this was fixed by re-using the existing validation logic of script-src.

The script-src validation logic is needlessly complicated. In MV3, the only permitted values for script-src are 'self', 'wasm-unsafe-eval' and 'none' (but 'self' is documented to be required in script-src because otherwise an extension is going to be quite useless).

At the very least, since script-src-elem and script-src-attr are new, we can do the following:

• script-src-elem: if specified, may only contain 'self' or 'none'
• script-src-attr: if specified, may only contain 'none' (in particular, nonce and hashes are NOT supported - https://bugzilla.mozilla.org/show_bug.cgi?id=1789759)

Additionally:

• nonce can be removed from src/const.js's CSP_KEYWORD_RE, since it is not supported at all in Firefox.
• "strict-dynamic" and "unsafe-hashed-attributes" can be removed from the start of src/const.js's CSP_KEYWORD_RE; these keywords are not accepted by Firefox.