After last post on browser based security, a few people asked how CSP works.
Basically, it is a contract between a web server and the client (i.e. the browser). The browser (being a client) is basically executing everything send to it by the web server. This is very risky when the web server is comprised (that is what happen when an attacker successfully launched a XSS attack to a website and added HTML codes)
Content Security Policy enable a web server to tell the client that it should not execute javascript files not coming from the same domain (or approved domain). This is done via communicating a white listing of domains in the HTTP header. As CSP is set in the header and generated by the web server, XSS attack and SQL injection (both are application level attacks) could not change HTTP header. The browser client follow CSP will not execute malicious javascript even if the HTML asked it to.
As CSP is implemented at the web server level, it is the web site administrator duty to enable this feature. Usually the programmer has no right to change production configuration of web server. The segregation of duty on one hand increase control on unauthorized changes, on the other hand make web server security an orphan.