a.html

<!DOCTYPE HTML>
<html>
  <head>
    <meta charset="utf-8">
  </head>
  <body>
    <div id="log"></div>
    <script src="http://code.jquery.com/jquery-1.10.2.min.js"></script>
    <script type="text/javascript">
      var req = new XMLHttpRequest();
      req.onload = function() { 
        $('body').append('<img src="https://developer.cdn.mozilla.net/media/img/mdn-logo-sm.png">');
      };
      req.open("get", "/csp", true);
      req.responseType = "document";
      req.send(); 
    </script>
  </body>
</html>

node.js

var express = require('express'),
    app = express();


app.configure(function(){
    app.use(function(req, res, next) {
      console.log("req: "+req.url);
      return next();
    });
    app.use(express.static(__dirname+"/public", {maxAge:0}));
    app.use(express.errorHandler({ dumpExceptions: true, showStack: true }));
});

app.get('/csp', function(req, res) {
  console.log("req: "+req.url);
  res.setHeader("Content-Security-Policy", "default-src 'self';")
  res.send('<html><body><b>yo</b></body></html>')

});

app.listen(3000);
console.log("On port 3000");