Question is regarding having CSP served twice:
What's the behavior if there is one policy served through the Content-Security-Policy
HTTP response header and also another policy specified with the <meta />
element?
Will those two be merged somehow? Or else which one has priority? (I cannot find clear info on this in the spec).
Specific use case might be serving Report-to
through the HTTP response header and putting all other restrictions in the <meta />
element — because some of those are generated by webpack - and if I shouldn't be worried about <meta />
shallowed by the HTTP response-header policy.