CSP check should also check meta tag

Currently the 16.9 and 16.10 checks only look for Content-Security-Policy and Content-Security-Policy-Report-Only in the HTTP response header. It is also valid to provide CSP policies in the meta http-equiv tag.

See: https://content-security-policy.com/examples/meta/ as an example.

We will need to parse the DOM or extract http-equiv if it exists to analyze the policy.