Support CSP "double policies"

[rohansharma]

CSP double policies enable setups that are not possible with just one CSP. When a browser sees a response with multiple CSP headers (or a single CSP header split via commas ","), the browser will enforce all those policies.

One common use case here is to support strict-dynamic with nonces and a URI allowlist, which isn't possible with a single script-src directive.

There's more information in this talk: https://youtu.be/_L06HetskC4?t=1754.