Content-Security Policy is a defense mechanism that can significantly reduce the risk and impact of XSS attacks in modern browsers. The CSP specification provides a set of content restrictions for web resources and a mechanism for transmitting the policy from a server to a client where the policy is enforced. When a Content Security Policy is specified, a number of default behaviors in user agents are changed; specifically inline content and JavaScript eval constructs are not interpreted without additional directives. In short, CSP allows you to create a whitelist of sources of the trusted content. The CSP policy instructs the browser to only render resources from those whitelisted sources. Even though an attacker can find a security vulnerability in the application through which to inject script, the script won’t match the whitelisted sources defined in the CSP policy, and therefore will not be executed. The absence of Content Security Policy in the response will allow the attacker to exploit vulnerabilities as the protection provided by the browser is not at all leveraged by the Web application. If secure CSP configuration is not implemented, browsers will not be able to block content-injection attacks such as Cross-Site Scripting and Clickjacking.
Solution
Appropriate CSP policies help prevent content-injection attacks such as cross-site scripting (XSS) and clickjacking. It’s recommended to add secure CSP policies as a part of a defense-in-depth approach for securing web applications.References
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheethttps://developers.google.com/web/fundamentals/security/csp/