UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0

Steps to reproduce the problem:
1. Create a file with the following content:
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' http://example.com:443;">
<script src="https://example.com"></script>

2. The script src is not loaded due to CSP violation.

What is the expected behavior?
According to CSP Level 2 and 3, the src should be allowed. HTTPS is more secure then HTTP and 443 is the default port for HTTPS.

We read in https://www.w3.org/TR/CSP2/:
```
Note: If url doesn’t specify a port, then its origin’s port will be the default port for url’s scheme.
```

In https://www.w3.org/TR/CSP3/ we have:
```
If expression does not have a scheme-part, then return "Does Not Match" unless one of the following conditions is met:
    (...)
    2. origin’s scheme is "http", and url’s scheme one of "https", "ws", or "wss".
```

What went wrong?
The script is not loaded due to CSP violation.

Did this work before? No 

Chrome version: 69.0.3497.100 (Official Build) (64-bit)  Channel: stable
OS Version: 10.0
Flash Version: 31.0.0.108