Content Security Policy (CSP) is a security standard implemented by web browsers to help prevent a wide range of attacks, including Cross-Site Scripting (XSS) and other data injection vulnerabilities. In simple terms, CSP is a declarative security mechanism that allows web administrators to specify which dynamic resources (like JavaScript, CSS, images, etc.) are allowed to be loaded and executed by the user's browser for a given web page.

Its primary purpose is to mitigate the risk of content injection attacks. By defining a strict whitelist of trusted content sources, CSP prevents the browser from loading or executing malicious scripts, stylesheets, or other assets injected by attackers. For instance, if an attacker successfully injects a <script> tag into a web page, CSP can block its execution if the script's origin is not explicitly whitelisted by the policy. This significantly reduces the impact of XSS attacks, as even if an attacker manages to inject code, the browser will refuse to run it.

CSP works by allowing web developers to define a policy that restricts content sources. This policy is delivered to the browser typically via an HTTP response header, Content-Security-Policy. The policy consists of one or more directives, each specifying allowed sources for a particular type of resource (e.g., script-src for JavaScript, style-src for CSS, img-src for images). When the browser receives a web page, it parses the CSP header and then evaluates all resource requests against the defined policy. If a resource's origin (e.g., a script from an untrusted domain) does not match any of the allowed sources in the policy for its respective directive, the browser blocks the resource from loading or executing.