Check CSP for javascript: URLs (#36709)

Also update a WPT test to fail-fast if the iframe incorrectly
evaluates the `eval`. Before, it would run into a timeout if
the implementation is correct. Now we reject the promise
when an exception is thrown.

Requires servo/rust-content-security-policy#6

Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>

tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href.html.ini

@@ -1,3 +0,0 @@
-[javascript_src_denied_missing_unsafe_hashes-href.html]
-  [javascript: navigation using <a href> should be refused due to missing unsafe-hashes]
-    expected: FAIL

tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_location.html.ini

@@ -1,3 +0,0 @@
-[javascript_src_denied_missing_unsafe_hashes-window_location.html]
-  [Test that the javascript: src is not allowed to run]
-    expected: FAIL

tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href.html.ini

@@ -1,3 +0,0 @@
-[javascript_src_denied_wrong_hash-href.html]
-  [javascript: navigation using <a href> should be refused due to wrong hash]
-    expected: FAIL

tests/wpt/meta/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_location.html.ini

@@ -1,3 +0,0 @@
-[javascript_src_denied_wrong_hash-window_location.html]
-  [Test that the javascript: src is not allowed to run]
-    expected: FAIL