Content Security Policy (CSP) provides a standard HTTP header that allows website owners to declare approved sources of content that browsers should be allowed to load on that page.

Browser based XXS protection mechanism. Least privilege approach that whitelists content you trust. Nothing else will execute. Assumes that inline scripts are bad.

But………….

High CVE-2018-6148: Incorrect handling of CSP header

https://chromereleases.googleblog.com/search/label/Stable%20updates