data: as script src should run with a policy that specifies data: as an allowed source but not 'unsafe-inline'