Angular Content-Security-Policy-Report-Only disallowed in meta tag

Question

I'm trying to enable a content security policy in report-only mode for an Angular application but when I try to inject it via the meta tag I get a disallowed message in Chrome (v64).

<meta http-equiv="Content-Security-Policy-Report-Only" content="default-src 'self'" />

The report-only Content Security Policy 'default-src 'self'' was delivered via a element, which is disallowed. The policy has been ignored.

I've also tried with Edge (v41) and Firefox (v59) where there is no error but also no console output. Have I missed a configuration step or is there a workaround?

Answer 1

A Content-Security-Policy-Report-Only policy can only be specified with an HTTP response header. The CSP spec explicitly disallows if from from being specified with a meta element:

Note: The Content-Security-Policy-Report-Only header is not supported inside a meta element. Neither are the report-uri, frame-ancestors, and sandbox directives.

There is no workaround other than to specify it using an HTTP response header instead.