Content Security Policy (CSP) is a computer security standard that aims to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks that result from the execution of malicious content in the trusted web page context. CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including XSS and data injection attacks. It is designed to be fully backward compatible, and browsers that dont support it still work with servers that implement it, and vice versa.

CSP can be delivered within the HTML code using an HTML META tag or as a content-security-policy header sent as part of the HTTP response header. The policy itself consists of one or more directives, separated by semicolons, and it restricts which resources, such as JavaScript, CSS, images, etc., can be loaded and the URLs that they can be loaded from. CSP can also restrict network communication to specific domains using the connect-src directive, which can prevent XHR requests to malicious domains that might be used to exfiltrate stolen data.

CSP is not a substitute for careful input validation and output encoding, and it is best used as part of a defense-in-depth strategy. While using CSP in a new application may be quite straightforward, existing applications may require some refactoring or relaxing the policy. Recommended coding practice for CSP-compatible web applications is to load code from external source files, parse JSON instead of evaluating it, and use EventTarget.addEventListener() to set event handlers.

In summary, CSP is a security standard that provides an additional layer of protection from cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from execution of malicious content in the trusted web page context. It restricts which resources can be loaded and the URLs that they can be loaded from, and it can be delivered within the HTML code using an HTML META tag or as a content-security-policy header sent as part of the HTTP response header.