Content Security Policy (CSP) is designed to mitigate when attackers find a website vulnerable to XSS attacks, they have two options of injecting malicious scripts into it:
- Inline script: when attackers put their code directly into your website’s HTML.
- Load script from an external domain: when attackers load a script from multiple infected sites and modify the script when they need to. All the changes will be reflected on those sites.
However it could happen to any website, but it is most useful to be implemented when your web pages contain HTML forms for users to submit data but also can be exploited to run the malicious commands on the server.
