The web’s security model is rooted in the same origin policy. Code from a site (say https://iq.opengenus.org should only have access to https://iq.opengenus.org ’s data, and any other site should never be allowed access. Cross-site scripting (XSS) attacks, for example, bypass the same origin policy by tricking a site into delivering malicious code along with the intended content. This is a huge problem, as browsers trust all of the code that shows up on a page as being legitimately part of that page’s security origin.
This is a companion discussion topic for the original entry at http://iq.opengenus.org/content-security-policy-csp/