2

A Content-Security-Policy can be on the set server and delivered in the HTTP header to the client. The Content-Security-Policy can also be set inline in the HTML in a <meta> tag.

Example:

<meta http-equiv="Content-Security-Policy" content="default-src;">

Does the inline policy affect the policy set in the header?

Nicholas Porter
  • 2,588
  • 2
  • 23
  • 37
  • 2
    See the answer at https://stackoverflow.com/a/51153816/441757. Browsers enforce the most-restrictive policy directives, regardless where they’re specified. So if a `` policy has more-restrictive directives than a header policy, the browser enforces those more-restrictive directives. But if the `` policy has less-restrictive directives than the header policy, the browser effectively ignores the `` policy directives, & just uses the (more-restrictive) directives in the header policy. Likewise, if the `` policy is more restrictive, the header policy directives are ignored. – sideshowbarker Apr 03 '19 at 00:44

0 Answers0