Apply strict-dynamic to inline scripts.

As noted in #426, the current "Does element match source list for type
and source?" algorithm does not properly handle `strict-dynamic` checks
for non-parser-inserted inline scripts. This patch adds a relevant step
to the algorithm to match both browser behavior and our existing tests:

https://wpt.fyi/results/content-security-policy/script-src/script-src-strict_dynamic_non_parser_inserted.html?label=experimental&label=master&aligned

Fixes #426.

Author: mikewest

index.bs

@@ -4412,6 +4412,10 @@ Content-Type: application/reports+json
 
       2.  <a for=set>For each</a> |expression| of |list|:
 
+          1.  If |expression| is the "<a grammar>`'strict-dynamic'`</a>" <a grammar>keyword-source</a>:
+
+              1.  If |type| is "`script`", and |element| is not [=parser-inserted=], return "`Matches`".
+
           1.  If |expression| matches the <a grammar>`hash-source`</a> grammar:
 
               1.  Let |algorithm| be null.
@@ -4448,8 +4452,6 @@ Content-Type: application/reports+json
       they will also apply to event handlers, style attributes and `javascript:`
       navigations.
 
-  ISSUE(w3c/webappsec-csp#426): This should handle `'strict-dynamic'` for dynamically inserted inline scripts.
-
   6.  Return "`Does Not Match`".
 
   <h3 id="directive-algorithms">Directive Algorithms</h3>