Content security policy mechanism with content-security-policy header aims to restrict downloading a resource by its origin. Possible values: self, "https://some-url.com".

Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com

A primary goal of CSP is to mitigate and report XSS attacks. XSS attacks exploit the browser's trust in the content received from the server.

In addition to restricting the domains from which content can be loaded, the server can specify which protocols are allowed to be used; for example (and ideally, from a security standpoint), a server can specify that all content must be loaded using HTTPS. A complete data transmission security strategy includes not only enforcing HTTPS for data transfer but also marking all cookies with the secure attribute and providing automatic redirects from HTTP pages to their HTTPS counterparts. Sites may also use the Strict-Transport-Security HTTP header to ensure that browsers connect to them only over an encrypted channel.

By default, violation reports aren't sent. To enable violation reporting, you need to specify the report-uri policy directive, providing at least one URI to which to deliver the reports:
Content-Security-Policy: default-src 'self'; report-uri http://reportcollector.example.com/collector.cgi

Fetch directives control the locations from which certain resource types may be loaded.

Document directives govern the properties of a document or worker environment to which a policy applies. (default-src, font-src, frame-src, image-src, ...)

Navigation directives govern to which locations a user can navigate or submit a form, for example. (base-uri, sandbox)

Reporting directives control the reporting process of CSP violations. (form-action, frame-ancestors)

• Content-Security-Policy (MDN)