Mozilla's new security policy
With CSP, the browser will only execute scripts which originate from domains listed in a white-list – everything else will be blocked. This allows administrators to, for example, specify their own script server for loading and executing scripts. This should mean that it is no longer possible for attackers to inject scripts into HTML files.
CSP should nonetheless be fully backwards-compatible. If a website does not include a CSP header, the browser will revert to the same origin policy. Browsers which do not support CSP will simply ignore the extra header. CSP should also offer some protection against clickjacking and automatically redirect from HTTP pages to HTTPS pages where the latter are available.
Google is also currently looking at delivering its pages over HTTPS by default to improve security and prevent eavesdropping. However, Mozilla Security Program Manager Brandon Sterne does not reveal when we can expect to see CSP implemented in Mozilla products.