Track the source of a given policy. (#214)

In order to support the nonce-hiding changes suggested in whatwg/html#2373, this
patch adds a 'source' to each policy object, which allows us to determine whether
it was sent via an HTTP header or a '<meta>' element.

As a drive-by, it also cleans up the formatting and structure of the parsing
algorithms, and more formally defines a 'CSP list' for clarity.