Is it safe to send Content-Security-Policy header for text/html content-type only?

Is it safe to send Content-Security-Policy header for text/html content-type only?

Is it safe to send Content-Security-Policy for dynamically generated pages with text/html and other hypertext content-types only or do I need to send this header for all files including static assets - images, JS and CSS files?