Description
I hypothesize that most don't consider the possibility that a script may be used as a gadget by an attacker. In particular, hash source and similar mechanisms don't work as one expects if the script is acccidentally non-idempotent (executing it a 2nd, 3rd, ..., nth time creates a problem that isn't caused by executing it the first time), or if the the safety of the script's logic depends on where exactly in the document it is inserted (e.g. before <body> vs after <body>, before DOMContentLoaded vs after, etc.).
One possibility would be to mark a hash source as "allow at most once". Then, if we put the whitelisted script as early in the document as possible, e.g. immediately after <meta charset> and <meta http-equiv=Content-Security-Policy> at the very top of the document, we can enforce that the hash source allows our own insertion of the script into the document, while blocking (virtually) all possible attempts to abuse the whitelisted script by attackers.
In particular, I propose to try to make this "allow at most once" semantics the one and only semantics for hash source. That is, instead of providing a way to opt into this proposed behavior, make it the default, and don't provide any way to opt out of it. This would technically be a breaking change but it probably doesn't actually break anything, since hash source probably isn't being used for scripts where the author intends the script to execute more than once.
(My goal in proposing this is to lock down the "Switch from <script> to ES6 imports" idea described in #243 (comment), but I think it probably is more generally useful.)