always loadScript with a script tag (#6411)

to avoid Content Security Policy unsafe-line violations

test/javascripts/lib/load-script-test.js.es6

@@ -0,0 +1,24 @@
+import loadScript from "discourse/lib/load-script";
+
+QUnit.module("lib:load-script");
+
+QUnit.test(
+  "load with a script tag, and callbacks are only executed after script is loaded",
+  async assert => {
+    const src = "/javascripts/ace/ace.js";
+
+    await loadScript(src).then(() => {
+      assert.ok(
+        typeof ace !== "undefined",
+        "callbacks should only be executed after the script has fully loaded"
+      );
+
+      // cannot use the `find` test helper here because the script tag is injected outside of the test sandbox frame
+      const scriptTags = Array.from(document.getElementsByTagName("script"));
+      assert.ok(
+        scriptTags.some(scriptTag => scriptTag.src.includes(src)),
+        "the script should be loaded with a script tag"
+      );
+    });
+  }
+);

test/javascripts/test_helper.js

@@ -52,7 +52,6 @@ window.MessageBus.stop();
 
 // Trick JSHint into allow document.write
 var d = document;
-d.write('<script src="/javascripts/ace/ace.js"></script>');
 d.write(
   '<div id="ember-testing-container"><div id="ember-testing"></div></div>'
 );