Alternate take for script enforcement. (#236)

* Alternate take for script enforcement. whatwg/dom#789 and whatwg/html#3052

As proposed by @annevk, add slots for script URL / text, populate them
when calling sink functions, and verify them when a script is prepared,
optionally running a default policy on a value read from the DOM if
it's different than the slot value.

It avoids integration points with DOM mutation algorithms, but we still
need to support script.setAttribute('src').

* Fix reviewer's comments.

* Adding a note to DOM issue.