Disable scripting when sandbox flag is set (#39163)

While I adding spec comments to the CSP crate, I discovered two issues:
1. We should only use the last sandbox value (WPT test added)
2. We weren't checking for the scripting sandbox flag in document

Also, the autoplay test should have allowed scripts to run, otherwise
the test doesn't run. Since we weren't checking the flag before, the
test ran fine for Servo. However, it wouldn't run for other browsers.

Also realized that an existing test was pointing to a non-existent file
(since it doesn't have `.sub`). Updated that and confirmed that in other
browsers it now properly works (it no longer shows a 404). However,
Servo now fails that test as we don't fire an load event.

Part of #913

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

components/script/dom/html/htmlscriptelement.rs

@@ -688,7 +688,7 @@ impl HTMLScriptElement {
         }
 
         // Step 17. If scripting is disabled for el, then return.
-        if !doc.is_scripting_enabled() {
+        if !doc.scripting_enabled() {
             return;
         }
 
@@ -1093,7 +1093,7 @@ impl HTMLScriptElement {
         // TODO use a settings object rather than this element's document/window
         // Step 2
         let document = self.owner_document();
-        if !document.is_fully_active() || !document.is_scripting_enabled() {
+        if !document.is_fully_active() || !document.scripting_enabled() {
             return;
         }
 
@@ -1130,7 +1130,7 @@ impl HTMLScriptElement {
         // TODO use a settings object rather than this element's document/window
         // Step 2
         let document = self.owner_document();
-        if !document.is_fully_active() || !document.is_scripting_enabled() {
+        if !document.is_fully_active() || !document.scripting_enabled() {
             return;
         }