Makes note of HTTP header CSP usage with file://

Previously it was not noted that the HTTP header method could not work with the file:// protocol.
electron · Sep 22, 2018 · 7d3e702 · 7d3e702
1 parent 176a762
commit 7d3e702
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md
@@ -370,8 +370,7 @@ session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
 
 ### CSP Meta Tag
 
-CSP's preferred delivery mechanism is an HTTP header. It can be useful, however,
-to set a policy on a page directly in the markup using a `<meta>` tag:
+CSP's preferred delivery mechanism is an HTTP header, however it is not possible to use this method when loading a resource using the `file://` protocol. It can be useful in some cases, such as using the `file://` protocol, to set a policy on a page directly in the markup using a `<meta>` tag:
 
 ```html
 <meta http-equiv="Content-Security-Policy" content="default-src 'none'">