This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
The introduction contains the following: "Content Security Policy (CSP) is not intended as a first line of defense against content injection vulnerabilities." For those readers not familiar with the details of secure programming, it would be useful to add a Note referring to some work(s) that address the "first line[s] of defense".
https://dvcs.w3.org/hg/content-security-policy/rev/70fe107c0569
Thanks.