A Content Security Policy provides web site operators with a manageable means of protecting their visitors from cross-site scripting and other attacks. And it's worth doing now, as the measures described already provide additional protection to the majority of users.
The extensive reporting functionality means that errors are easily tracked down during and after conversion to CSP. CSP can, however, cause problems for users on mobile networks. In some cases, the compression proxies used by mobile network operators mean that external scripts and style sheets are reintegrated into page code. If a proxy does this but fails to strip out the CSP header, the no-longer-external elements will be blocked.
Despite CSP, it should not be forgotten that it is web site users that such a policy is designed to protect – not the web site or the server. Web site operators still need to take all reasonable measures to secure their servers. This means, in particular, ensuring that all components are kept up to date and carefully filtering user input, especially if it is to destined to be fed into SQL statements.
The Web Application Security Working Group is currently discussing possible extensions for version 1.1 of the CSP specification. Issues under consideration include whether script and style elements should be assigned a random value to enable them to be re-embedded directly into the HTML. There is also talk of a meta tag to replace the HTTP header which would define further directives to restrict the targets for form-actions and plugin MIME types.