An Introduction to Content Security Policy – HTML5 Rocks

Mike West runs through everything you need to know about Content Security Policy


Instead of blindly trusting everything that a server delivers, CSP defines the Content-Security-Policy HTTP header that allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources. Even if an attacker can find a hole through which to inject script, the script won’t match the whitelist, and therefore won’t be executed.

Read more from the source: HTML5 Rocks – A resource for open web HTML5 developers