What is happening when I have two CSP (Content Security Policies) policies - header & meta?

Question is regarding having CSP served twice:

What's behavior once having served one policy through http response header and one having in <meta /> tag ?

Will those two be merged somehow ? or whichone has priority (cannot find clear info in spec).

Specific use case might be serving Report-to through response header and all other restrictions having in <meta /> because some of those are generated by webpack - and if I shouldn't be worried about <meta /> shallowed by response header policy.