by an HTTP header.
This applies to all content loaded including through navigation or via the various webkit_web_view_load_\* APIs. However do note that many WebKit APIs bypass Content-Security-Policy in general such as #WebKitUserContentManager and webkit_web_view_run_javascript().
Policies are additive so if a website sets its own policy it still applies on top of the policy set here.