One of the many attack vectors that have made life easier for the bad guys in the last few years is cross-site scripting. This attack relies on specific vulnerabilities in Web applications that allow attackers to get their own malicious scripts onto a legitimate Web page. Browsers will then run those scripts as if they were part of the trusted Web page, enabling the attacker to plant malicious code on a victim's machine or steal sensitive data.
Content Security Policy is one mechanism for preventing these kinds of attacks by allowing users to define which content sources they trust. Chrome then will run scripts only from those trusted sources, creating a whitelist of known good content sources and ignoring content from all other sources."
Link to Original Source