Support CSP "double policies" #476
Description
CSP double policies enable setups that are not possible with just one CSP. When a browser sees a response with multiple CSP headers (or a single CSP header split via commas ","), the browser will enforce all those policies.
One common use case here is to support strict-dynamic with nonces and a URI allowlist, which isn't possible with a single script-src directive.
There's more information in this talk: https://youtu.be/_L06HetskC4?t=1754.