Forcibly neutralize lazy loading attributes when scripting is disabled.

src/content/onScriptDisabled.js

@@ -46,6 +46,43 @@ function onScriptDisabled() {
     }
   }
 
+  {
+    // Force loading attributes to "eager", since CSP-based script blocking
+    // does not disable lazy loading as it should to address the privacy
+    // concerns mentioned in the specification.
+    // See https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42805
+
+    const toEager = el => el.setAttribute("loading", "eager");
+    const toEagerAll = parent => [... parent.querySelectorAll("[loading=lazy]")].forEach(toEager);
+
+    toEagerAll(document);
+    if (document.readyState === "loading") {
+
+      const observer = new MutationObserver(records => {
+        for (const r of records) {
+          console.log(r);
+          switch(r.type) {
+            case "attributes":
+              if (r.attributeName === "loading") {
+                toEager(r.target);
+              }
+              break;
+            case "subtree":
+              toEagerAll(r.target);
+              break;
+          }
+
+        }
+      });
+
+      observer.observe(document.documentElement, {subtree: true, attributeFilter: ["loading"]});
+      addEventListener("DOMContentLoaded", e => {
+        toEagerAll(document);
+        observer.disconnect();
+      });
+    }
+  }
+
   let eraser = {
     tapped: null,
     delKey: false,