Allow RFC3986 scheme relative URIs in host-source

[Mahoney]

The standard defines host-source as so:
host-source = [ scheme-part "://" ] host-part [ ":" port-part ] [ path-part ]

This makes these valid host-source values:

• https://www.example.com
• www.example.com

But does not allow //www.example.com

//www.example.com is the correct way to define a scheme relative URI according to RFC 3986, and is also supported everywhere else in the browser, where e.g. img and script tags will accept URLs of this form and resolve them relative to the scheme of the browser, so it is very surprising & inconvenient that the Content-Security-Policy header does not support them.

(Real life use case - SaaS SPA product that took the API URL as a parameter in the form of a fully qualified URL. Converted to a K8S product, where it is up to the client whether they serve on HTTP or HTTPS, so we switched the parameter to a scheme relative URL. Everything works except for the Content-Security-Policy header.