Validator: Combine multiple CSP warnings for the same reason

[erosman]

Example:

https://addons.mozilla.org/editors/review/854655/
https://addons.mozilla.org/en-US/developers/addon/threatpinch-lite/file/723979/validation

CSP:
"content_security_policy": "script-src 'self' https://www.threatminer.org https://api.passivetotal.org https://cymon.io https://www.virustotal.com https://api.xforce.ibmcloud.com https://api.shodan.io https://www.censys.io 'unsafe-eval'; object-src 'self'"

[erosman]

Was there a change? I see an odd warning:

https://addons.mozilla.org/editors/review/855467/
https://addons.mozilla.org/en-US/developers/addon/b3-advanced-operator-search/file/725729/validation
https://addons.mozilla.org/en-US/firefox/files/browse/725729/file/manifest.json#top

"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"

Using 'eval' has strong security and performance implications.

In most cases the same result can be achieved differently, therefore it is generally prohibited
manifest.json

[EnTeQuAk]

Yes, we are now warning for unsafe-eval too. Or rather, improved it's error message to be less confusing.

[erosman]

we are now warning for unsafe-eval too. Or rather, improved it's error message to be less confusing.

TBH, the unsafe-eval warning was more expressive than the generic eval which is used for actual eval() function.. but it is not an issue.