The behaviour of `unsafe-dynamic` you propose seems pretty confusing to describe to me (you have to distinguish between "parser-inserted" and not), and I'm not sure how it integrates with other browser functionality.
A particular case I'm confused about is:
1. create a new document with document.implementation.createDocument()
2. use that document to safely parse untrusted HTML (as is done by DOMPurify)
3. use appendChild() to copy nodes from that document into a second document
It seems like the scripts would run in that case (assuming the target document had a CSP of `unsafe-dynamic`), even though the scripts were created by the parser?
I'm also worried that it randomly tinkers with other parts of the CSP in peculiar ways (a `hash` or a `nonce` is required to run the initial script, you can't use an origin or `unsafe-inline` or `unsafe-eval`).
I'm not totally against the idea, because it seems useful to get more people using a CSP, but I think the current approach is very complicated. It might be simpler to add `unsafe-dynamic` that lets you do appendChild(script); but which doesn't break any of the other CSP directives, and solve the compatibility issue with server-side user-agent detection.