From @shekyan on October 2, 2015 23:31

Section 3.1 should be explicit how user-agent should behave in the context of malformed content-security-policy header.
For example, unknown directive, non-ASCII characters, multiple 'none' keywords in source-expression do not match the 'policy-token' grammar.

We suggest treating these headers as either default-src 'none' or default-src 'self'

Copied from original issue: w3c/webappsec#495