CSP limits our site from making requests to other sites, controls what resources the page is allowed to load. It limits the damage even if malicious code is running in a user's browser within our site's context.
-
Content-Security-Policy: default-src ‘self’
Prevents loading resources from other domains. Prevents inline scripts, such as<script>alert('hello')</script>
. -
Content-Security-Policy: default-src ‘self’ *.trusted.com