At its core, the Content Security Policy header allows you to define where your web pages are allowed to load content from.
A mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS)
Oh, and it’s awesome.
Since the spec is still a draft. Firefox is using
X-Content-Security-Policy and Webkit (Chrome, Safari) are using
X-WebKit-CSP. Once the spec is locked down they’ll move to a canonical header.
Here are some examples borrowed directly from the Working Draft 1.0 document
Example 1: A server wishes to load resources only form its own origin:
Content-Security-Policy: default-src 'self'
Example 2: An auction site wishes to load images from any URI, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from a server under its control hosting sanitized ECMAScript:
Content-Security-Policy: default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.com
Example 3: Online banking site wishes to ensure that all of the content in its pages is loaded over TLS to prevent attackers from eavesdropping on insecure content requests:
Content-Security-Policy: default-src https: 'unsafe-inline' 'unsafe-eval'