Verify that inline script does not run when a CSP specifies "default-src: 'self'" but not 'unsafe-inline'.