Content Security Policies (CSP) provide powerful means to mitigate cross-site scripting (XSS) exploits. However, the protection provided by CSP is incomplete. For example, insecure server-side script, e.g., Javascript, generation and attacker control over script sources can lead to XSS conditions that cannot be mitigated by CSP.