At 3. CSP Policy Delivery it says
The Content-Security-Policy HTTP response header field is the preferred mechanism for delivering a policy
But there are two valid mechanisms, delivery via an HTTP header, and delivery via a HTML meta element:
<meta http-equiv="Content-Security-Policy" content="..."/>
Why is delivery via a header "preferred", or perhaps more importantly, what are the disadvantages of delivery via an HTML meta tag?
For various reasons, in our deployment, adding CSP to the HTML head is simpler to manage.
It seems that this question has been already answered in the comments, but nobody has a couple of minutes to write a response, so I'll try it myself.
Content-Security-Policy delivery through HTTP response supports some extra features compared to delivery via a HTML meta element, such as Content-Security-Policy-Report-Only and report-uri, frame-ancestors, and sandbox directives.
However, if you don't need to use any of these features, there’s no advantage to using the HTTP header.
Note that when using the HTML way, http-equiv meta tag should appear first in the header, since it only applies to elements that follow it.