Why is delivery of Content-Security-Policy via headers "preferred"?

Question

At 3. CSP Policy Delivery it says

The Content-Security-Policy HTTP response header field is the preferred mechanism for delivering a policy

But there are two valid mechanisms, delivery via an HTTP header, and delivery via a HTML meta element:

<meta http-equiv="Content-Security-Policy" content="..."/>

Why is delivery via a header "preferred", or perhaps more importantly, what are the disadvantages of delivery via an HTML meta tag?

For various reasons, in our deployment, adding CSP to the HTML head is simpler to manage.

Answer 1

It seems that this question has been already answered in the comments, but nobody has a couple of minutes to write a response, so I'll try it myself.

Content-Security-Policy delivery through HTTP response supports some extra features compared to delivery via a HTML meta element, such as Content-Security-Policy-Report-Only and report-uri, frame-ancestors, and sandbox directives.

However, if you don't need to use any of these features, there’s no advantage to using the HTTP header.

Note that when using the HTML way, http-equiv meta tag should appear first in the header, since it only applies to elements that follow it.

Answer 2

In large organisations, the people responsible for setting up CSP are not the same as those responsible for web page content. When multiple policies apply, they must all be enforced. A developper (via meta) cannot relax a policy established by a system administrator (via http response). The security burden is shifted fom all developpers to a limited group of administrators.