In recent times public sites are being injected with content that claim to be of a legitimate website but in reality are content hosted somewhere else. On implementing and executing this on the victim's computer, the attacker can take privilege of them in any form. These are possible through attacks such as XSS, clickjacking, etc. To prevent such malicious activities, Content-security policy was introduced.
The primary use of content security policy is to prevent Cross-site scripting (XSS). One might wonder how by just implementing CSP can prevent a critical attack such as XSS. Well, to our understanding when any developer uses content security polity on their application header, it will prevent the hackers from forcing the browser from implementing malicious codes or script on the web page.
Following are the ways CSP blocks unknown contents:
Content security policy must be included particularly for applications that manage critical data such as administrative UIs, device management consoles, messages or media files, etc. to secure themselves from attacks that include codes and scripts.