Meta injection (best-effort)

This page sets INJECT_META: true and ships no hand-placed CSP. A <meta> CSP only takes effect when the parser inserts it, so DOMFortify can only try via document.write during the initial parse - and even then only for content parsed afterwards. The honest outcome in your browser is below.

Takeaway: prefer a response header, or a hand-placed parse-time <meta>. Use INJECT_META only when you can set neither, and always confirm with status() that enforcement actually took.