---

Example meta tag

Let's suppose we want to add a CSP policy to our site using the following HTML:

<meta http-equiv="Content-Security-Policy" content="default-src 'self'">

Your policy will go inside the content attribute of the meta tag. The header name Content-Security-Policy should go inside the http-equiv attribute of the meta tag.

The meta tag must go inside a head tag. The CSP policy only applies to content found after the meta tag is processed, so you should keep it towards the top of your document, or at least before any dynamically generated content.

Does the meta tag need to be inside a head tag?

Yes, in current versions of Chrome you will get an error such as the following:

The Content Security Policy 'default-src 'self'' was delivered via a <meta> element outside the document's <head>, which is disallowed. The policy has been ignored.

Why doesn't report-uri work in a CSP meta tag?

This is not supported, further the Content-Security-Policy-Report-Only header cannot be used in a meta tag either.

Does frame-ancestors or sandbox work in a CSP meta policy?

According to the CSP spec, frame-ancestors and sandbox are also not supported inside a meta tag.

Should I use meta or a HTTP Response Header?

The meta support is handy when you can't set a HTTP response header, but in most cases using a HTTP response header is a stronger approach.

Do all directives work inside a meta tag?

No, some directives may not work in a meta tag, for example the frame-ancestors directive cannot be used inside a meta tag.

What goes inside a CSP policy?

If you're not sure what default-src 'self'; means, then check out the Content Security Policy reference for details.

---