CSP with commas are parsed in a confusing way about csp-evaluator HOT 2 OPEN

Thank you for reporting Brian.
We're aware of the issue (we actually do use and recommend double policies [1]), but we currently don't have the bandwidth to implement support for multiple policies in the CSP Evaluator.
This would require intersecting findings across policies which would need a complex rule set for matching hosts/paths/wildcards/protocols/etc.
E.g. Findings for entries like https://www.google.com/, *.google.com/, https://www.google.com/bar and https:// would need to be matched across policies and potentially across different directives (default-src/script-src) to determine, if the intersection would still allow a CSP bypass.

For simple cases like the one you posted above, you can evaluate policies individually and manually intersect results.

[1] https://speakerdeck.com/lweichselbaum/csp-a-successful-mess-between-hardening-and-mitigation?slide=44

from csp-evaluator.

There are multiple aspects of this, some of which are easier to fix than others:

• If I understand my own bug report correctly, the evaluator doesn't parse these policies correctly. At the very least, I think the parser could/should be fixed.
• If the evaluator were to split policies on commas properly during parsing, then it could process each policy independently and report results for each independently.
• If the evaluator were to process policies split on commas properly, then it could implement "If any of the policies would have generated a good result, then the entire combined policy generates a good result. Otherwise, tell the user that multiple policies combined using commas are not fully supported."

from csp-evaluator.