A Content Security Policy (CSP) is a computer security standard introduced to limit the risk and damage from code injection attacks. It is a statement in the page headers declaring where content can be loaded from and how it can be loaded. An example of code injection is a Cross-Site Scripting attack, in which user-provided content is not properly sanitized and includes markup that loads content from malicious third-party sites. A CSP allows the browser to identify a request as suspect and block it.
To implement a CSP on your website, specify the rules by which the browser can expect the page to operate in requesting resources. It usually requires “whitelisting” domains with permission to request resources. CSP rules apply to any class of elements in a page that specifies a source attribute or requests a web resource. Each class of request can have its own rules and whitelisted domains.