data: as script src should not run with a policy that doesn't specify data: as an allowed source