diff --git a/files/en-us/web/security/practical_implementation_guides/csp/index.md b/files/en-us/web/security/practical_implementation_guides/csp/index.md index da65d54bf94157f..01d26fca633abe4 100644 --- a/files/en-us/web/security/practical_implementation_guides/csp/index.md +++ b/files/en-us/web/security/practical_implementation_guides/csp/index.md @@ -55,9 +55,7 @@ If you are unable to get a strict CSP to work, an allowlist-based CSP is much be > > - `unsafe-inline`. > - `data:` URIs inside `script-src`, `object-src`, or `default-src`. -> - overly broad sources or form submission targets. -> -> Similarly, the use of `script-src 'self'` can be unsafe for sites with JSONP endpoints. These sites should use a `script-src` that includes the path to their JavaScript source folder(s). +> - Overly broad sources or form submission targets. If you are unable to use the `Content-Security-Policy` header, pages can instead include a [``](/en-US/docs/Web/HTML/Element/meta#http-equiv) element. This should be the first {{htmlelement("meta")}} element that appears inside the document {{htmlelement("head")}}.