CSP 的版本(或级别)具有扩展原始规范的新支持功能.通过 html 元标头为 CSP 提供服务被认为是传统的，并且有一些缺点.尝试通过请求的 HTTP 标头设置 CSP此外，作为***实践，将 default-src 设为您的第一个指令.

CSP has versions (or levels) with newly supported features extending the original spec. Serving the CSP through an html meta header is considered legacy and has some drawbacks. Try setting CSP via the HTTP headers of the request Also, as a best practice make the default-src you first directive.