For example, if I have

<script nonce="asdf">
x = document.createElement('script');
x.textContent = 'console.log(0)';
document.head.appendChild(x);
</script>

on a page with a CSP of script-src 'strict-dynamic' 'nonce-asdf', does it log 0 or not?

As best I can tell, the CSP spec says no. In particular,

• The inserted script lacks a src attribute, so step 15 of HTML's prepare a script governs, which calls
• Should element’s inline type behavior be blocked by Content Security Policy? with type "script", which in step 3.1.1 calls
• the inline check for script-src, which in step 4 calls
• Does element match source list for type and source?, which
• fails to permit the script via allowing all inline behavior for type "script"
• fails to permit the script via a nonce-source expression, because element does not have a nonce attribute,
• fails to permit the script via a hash-source expression, because there are none, and therefore
• fails to permit the script at all.

(Does element match source list for type and source? makes no mention of strict-dynamic except to turn off unsafe-inline.)

But Firefox and Chrome both allow it. (Safari does not support strict-dynamic at all.)

The section on the usage of strict-dynamic is not helpful; it says that "Script requests which are triggered by non-"parser-inserted" script elements are allowed", which implies it only applies to external scripts, but also says "scripts created at runtime will be allowed to execute", which implies it would apply to inline ones as well.