- Doesn't properly take into account default-src. We have default-src 'none', but it's telling us that we haven't set object-src to none.
- Says "Directive 'meta' is not a known CSP directive", despite the advice to use the meta tag here: http://www.html5rocks.com/en/tutorials/security/content-secu...
For reference these are the issues that came up with the CSP on the front end for our oembed:
https://oembed.fwdeveryone.com?threadId=Nh4apRjSR7qS5y4aGd3N...