There are two ways to deliver a CSP to a browser:
- Request header for the document
- Meta tag of the document

Content-Security-Policy delivery through HTTP supports some extra features 
compared to delivery via a HTML meta element, such as: 
- Content-Security-Policy-Report-Only 
- report-uri
- frame-ancestors
- sandbox directives.

If you dont use those features it doesnt matter what way you pick.