From d7d4b8638d2d9f065ac78895da49a83ddc21a7c8 Mon Sep 17 00:00:00 2001
From: Slapbox <Slapbox@users.noreply.github.com>
Date: Wed, 28 Nov 2018 03:58:18 -0500
Subject: [PATCH] docs: makes note of HTTP header CSP usage with file://
 (#14768)

---
 docs/tutorial/security.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/tutorial/security.md b/docs/tutorial/security.md
index b8fbbd9e4075..b9e4a0fd28d4 100644
--- a/docs/tutorial/security.md
+++ b/docs/tutorial/security.md
@@ -374,8 +374,10 @@ session.defaultSession.webRequest.onHeadersReceived((details, callback) => {
 
 ### CSP Meta Tag
 
-CSP's preferred delivery mechanism is an HTTP header. It can be useful, however,
-to set a policy on a page directly in the markup using a `<meta>` tag:
+CSP's preferred delivery mechanism is an HTTP header, however it is not possible
+to use this method when loading a resource using the `file://` protocol. It can
+be useful in some cases, such as using the `file://` protocol, to set a policy
+on a page directly in the markup using a `<meta>` tag:
 
 ```html
 <meta http-equiv="Content-Security-Policy" content="default-src 'none'">