After last post on browser based security, a few people asked how CSP works.
Basically, it is a contract between a web server and the client (i.e. the browser). The browser (being a client) is basically executing everything send to it by the web server. This is very risky when the web server is comprised (that is what happen when an attacker successfully launched a XSS attack to a website and added HTML codes)
As CSP is implemented at the web server level, it is the web site administrator duty to enable this feature. Usually the programmer has no right to change production configuration of web server. The segregation of duty on one hand increase control on unauthorized changes, on the other hand make web server security an orphan.