If you wondered how X-Content-Security-Policy works in real life here’s an example. X-Content-Security-Policy is a proposed mechanism for limiting impact of injection attacks against websites — such as Cross-Site-Scripting. For each page the server will return the CSP header in HTTP response. The header describes what the browser should expect from the page and what it shouldn’t.
For example this website returns the following CSP header:
X-Content-Security-Policy: allow 'self'; script-src www.google.com www.readability.com; options inline-script; img-src *.creativecommons.org
Does this really work? Let’s try. The following line contains a JS block that should execute a remote script. It’s classical Cross-Site Scripting test from ha.ckers.org forum. On browsers supporting CSP you should see nothing (except for the JS souce code block). On other browsers you will see a pop-up telling that this website is vulnerable to XSS: