csp header vs meta tag
There are two ways to deliver a CSP to a browser:
- Request header for the document
- Meta tag of the document
Content-Security-Policy delivery through HTTP supports some extra features
compared to delivery via a HTML meta element, such as:
- Content-Security-Policy-Report-Only
- report-uri
- frame-ancestors
- sandbox directives.
If you dont use those features it doesnt matter what way you pick.