CSP: 'importScripts()' should be allowed under 'strict-dynamic'

'importScripts()' is not a parser-inserted script-loading mechanism; it
ought to continue loading script in the presence of 'strict-dynamic'.

Bug: 742354
Change-Id: Ice327c6f69183e1b27912c808646d16d0030b934
Reviewed-on: https://chromium-review.googlesource.com/571723Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486868}

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-strict_dynamic_worker-importScripts.https.html

+<!DOCTYPE html>
+<script src='/resources/testharness.js'></script>
+<script src='/resources/testharnessreport.js'></script>
+<script src='../support/testharness-helper.js'></script>
+
+<meta http-equiv="content-security-policy" content="script-src 'nonce-abc' 'strict-dynamic'">
+
+<script nonce="abc">
+  async_test(t => {
+    assert_no_csp_event_for_url(t, "../support/import-scripts.js");
+    var w = new Worker("../support/import-scripts.js");
+    assert_no_event(t, w, "error");
+    waitUntilEvent(w, "message")
+      .then(t.step_func_done(e => {
+        assert_true(e.data.executed);
+      }));
+  }, "`importScripts(...)` is allowed by 'strict-dynamic'");
+</script>

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/import-scripts.js

+self.a = false;
+importScripts('/content-security-policy/support/var-a.js');
+postMessage({ 'executed': self.a });

third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp

@@ -81,6 +81,8 @@ void WorkerScriptLoader::LoadSynchronously(
   ThreadableLoaderOptions options;
 
   ResourceLoaderOptions resource_loader_options;
+  resource_loader_options.parser_disposition =
+      ParserDisposition::kNotParserInserted;
 
   WorkerThreadableLoader::LoadResourceSynchronously(
       ToWorkerGlobalScope(execution_context), request, *this, options,