default-src should cascade to script-src directive