Is it really safe to put your Content-Security-Policy (CSP) rules into your HTML document's meta tags? Forgive me if I am missing something, but if a hacker wanted to bypass those rules, wouldn't it be as simple as using Chrome's DEV tools or something similar to select and delete the whole meta tag?
Dispite not being able to find anyone else with the same concern, it still feels wrong to me in the same way putting private API keys into client-side scripts would. Anything client-side can be manipulated, right?
Using the meta tag is said many times in the specification to be worse than the header. Only use it if you need to. But it's as safe as it can be:
Note: A policy specified via a <meta> element will be enforced along with any other policies active for the protected resource, regardless of where they’re specified. The general impact of enforcing multiple policies is described in §8.1 The effect of multiple policies.
Note: Modifications to the content attribute of a <meta> element after the element has been parsed will be ignored.
There's no way to make the policy less strict after the browser parses it.