I don't disagree. There was some discussion on the W3C mailing list about the idea of a resource file (something analogous to how we have CSS and JavaScript resources). I proposed a means of composing static policies with dynamic overrides via the existing header in https://lists.w3.org/Archives/Public/public-webappsec/2016Ja.... CSP provides a great centralized place to define all sorts of security constraints, and it would be a shame to run into header size limits as an artificial constraint on what new things can be added. I'd love to see existing security headers moved into CSP so we have one, and only one, place where we need to solve the size problem.