Content Security Policy checks only presence of a default policy

[emkll]

The validate CSP function only does a substring match and does not evaluate the overall policy. For example, the following CSP would pass our test, but it provides limited protection against certain XSS attacks.

   <meta http-equiv="Content-Security-Policy" content="default-src 'self';
        script-src 'self' 'unsafe-inline' 'unsafe-eval'">

Perhaps we can downgrade the score when unsafe-inline and/or unsafe-eval are present in the CSP?