Polyfill fails in Edge with strict Content Security Policy headers

[mikejamesthompson]

When CSP headers are set to only allow styles from a specific source (e.g. style-src 'self'), the CSS injected by the polyfill will be blocked by versions of Edge running EdgeHTML, stopping the polyfill from working properly.

The remedy is to add the sha256 hash of the injected CSS to the header sent to the browser or to adapt the polyfill to inject a stylesheet <link> element instead, although I think the former is preferable.

See this Mozilla guideline on web security for more info: https://infosec.mozilla.org/guidelines/web_security#content-security-policy

I don't think there's any need for a material change to the code, but perhaps a warning in the readme might help people anticipate this problem. Happy to submit a PR for this if that's helpful