They are not equivalent.
The W3C Draft for CSP only defines the headers Content-Security-Policy
and Content-Security-Policy-Report-Only
. No other headers are defined by the document.
That means browsers can choose to include this specific typo, but it is unlikely that browser vendors will attempt to predict all possible ways to misspell Content-Security-Policy
in order to improve compatibility.
How to proceed now?
Mark it as a finding, stating that their CSP header is malformed and will likely be ignored by browsers. Fixing it should not be difficult anyways. If the developers state that some arbitrary browser they tested this on still works with it, you can still mention that it's not covered in any draft and is implementation-specific behavior - and thus a risk.