Consider the input:

base-uri 'none';
default-src 'self';
object-src 'none';
style-src 'unsafe-inline';
script-src 'unsafe-inline' 'sha256-HEtTzbIgu0I33A3DZbJTheKFftQg+kS2n0OFuHExFuc='

That passes the evaluator just fine, with no warnings.

Now, consider this stronger combination of two policies:

base-uri 'none';
default-src 'self';
object-src 'none';
style-src 'unsafe-inline',
script-src 'unsafe-inline' 'sha256-HEtTzbIgu0I33A3DZbJTheKFftQg+kS2n0OFuHExFuc='

The intent of this second input is to require that a script be loaded from self AND match the given hash, if the browser supports CSP hash, by asking for the intersection of two policies. This is a stronger policy than the original policy. However, the evaluator complains that "'self' can be problematic if you host JSONP, Angular or user uploaded files" because it doesn't notice the script-src. It also complains about the style-src directive because it doesn't recognize the comma that separates the two policies.

Ideally, the evaluator should be extended to understand multiple policies joined using ,.

This example uses CSP hash, which is rare. However, I believe several people have advocated for a similar technique of combining multiple policies that uses CSP nonce instead of CSP hash, so it would be good to support this pattern.