We currently only say what resources can live outside the container, but for improved clarity (and security) we should probably also explicitly say where these references are allowed (see also #1061 (comment)).

The proposal would be to:

• restrict remote audio to the audio + source elements and the MO audio element
• restrict remote video to the video + source elements
• restrict remote fonts to CSS @font-face rules, @import rules, and the html link element
• restrict remote data to scripting API calls (XHR and Fetch)

Data blocks can't be external per html ("When used to include data blocks, the data must be embedded inline") so we don't need to allow references from script.